Two factor authentication for Microsoft Windows Logon and RDP

Overview

The LoginTC Windows Logon and RDP Connector integrates natively with Windows Server and Windows Client operating systems to add two-factor authentication for both remote desktop and local logins.

If you would like to protect your RD Web Access then you may be interested in the: LoginTC RD Web Access Connector.

If you would like to protect just your RD Gateway without protecting RD Web Access then you may be interested in the: LoginTC RD Gateway with RADIUS Connector.

Subscription Requirement

Your organization requires the Business or Enterprise plan to use the LoginTC Windows Logon and RDP Connector. See the Pricing page for more information about subscription options.

User Experience

After entering the username and password, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.

System Requirements

Supported Windows Server versions:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Support Windows Client versions:

  • Windows 8.1
  • Windows 10

Additional Requirements:

Create Application

Start by creating a LoginTC Application for your Windows Logon and RDP deployment. An Application represents a service (e.g. RDP access to your Windows infrastructure) that you want to protect with LoginTC.

Create a LoginTC Application in LoginTC Admin, follow Create Application Steps.

If you have already created a LoginTC Application for your Windows Logon and RDP deployment, then you may skip this section and proceed to Installation.

Normalize Usernames

Windows usernames are in the form “CORP\john.doe”, while in the LoginTC Admin Panel it is generally more convenient to simply use “john.doe”.

Configure Normalize Usernames from the Domain settings by navigating to Domains > Your Domain > Settings.

Select Yes, Normalize Usernames scroll down and click Update.

Windows Installer

Install the LoginTC Windows Logon and RDP Connector.

  1. Download the latest version of the LoginTC Windows Logon and RDP Connector
  2. Run the installer file as a privileged administrator user.
  3. Press Next.
  4. Read the License Agreement and press Next if you accept the terms.
  5. Change the LoginTC API Host only if you have a private enterprise LoginTC deployment. Press Next:
  6. Enter your LoginTC Application ID and Application API Key. These values are found on your LoginTC Admin Panel (see Managing your Application. Press Next.
  7. Choose whether this will be for remote logons only or also for local logons. Press Next.

    Protecting Local Logons

    Note: After restarting the Windows host the LoginTC Windows Logon and RDP Connector will be fully installed and operational. See Understanding Windows Logon Options for more information

  8. Press Install.
  9. Press Finish

The LoginTC Windows Logon and RDP Connector is now installed. It will start protecting logins once the Windows host is restarted.

Usage

Your users may login in several ways. This chapter details the user experience for each interaction.

RDP Login

When a user launches their RDP client they will be presented with the standard login sequence. After successfully logging in with their username and password, they are shown the LoginTC login page on the remote host. Vadious login options for the second-factor LoginTC authentication are presented. Once successfully authenticated with LoginTC the user is logged into the host.

Local Logon

After successfully logging in with their username and password, they are shown the LoginTC login page on the local host. Vadious login options for the second-factor LoginTC authentication are presented. Once successfully authenticated with LoginTC the user is logged into the host.

Offline Logon

If the host does not have internet connectivity then after successfully logging in with their username and password, the user is shown options for logging in offline.

There are two methods of offline authentication:

  1. QR Scan Authentication. The user must launch the LoginTC App, select Settings > Scan QR Code and then scan the displayed QR Code. If the scan is successful a 6-digit code is displayed for the user to enter and authenticate.
  2. Offline Bypass Code. The user must enter a 9-digit Offline Bypass Code which is provided to them by their support desk.

Must login online prior to offline methods being available

Offline methods are online available if the user has logged in online at least once. If their token is revoked and re-issued, QR Scan Authentication will only be displayed after again logging in online at least once.

Policies

Offline authenticaton methods must be enabled in the authentication Policy.

Command line installation

You may also install the LoginTC Windows Logon and RDP Connector from the Command Prompt. This is particularly useful when deploying to a large number of machines.

To install from the Command Prompt:

  1. Find the Command Prompt in the Start menu
  2. Right Click and select “Run as administrator”
  3. Enter the following command (refer to the table below for configuration options)
msiexec /qn /i logintc-windows-logon-connector-1.0.0.0.msi CONFLOGINTCAPIHOST="cloud.logintc.com" CONFLOGINTCAPPLICATIONID="YOUR_APPLICATION_ID" CONFLOGINTCAPPLICATIONAPIKEY="YOUR_APPLICATION_API_KEY" CONFRDPONLY="1" CONFBYPASSUSERS=".\support,.\localadmin"
Flag Meaning Example
CONFLOGINTCAPIHOST The LoginTC API host cloud.logintc.com
CONFLOGINTCAPPLICATIONID The 40-character Application ID (found in the Admin Panel) 5de7c5b82a6972...
CONFLOGINTCAPPLICATIONAPIKEY The 64-character Applicatoin API Key (found in the Admin Panel) 5R2EgzXBOHx3RN...
CONFRDPONLY 1 to enable LoginTC only for remote (RDP) logins, or 0 for all logins 1
CONFCHALLENGEGROUPS (Optional) Groups whose members will be challenged. Refer to Challenge Groups section for more information. RemoteMFAUsers
CONFBYPASSGROUPS (Optional) Groups whose members will be bypassed. Refer to Bypass Groups section for more information. RemoteMFAUsers
CONFCHALLENGEUSERS (Optional) Users which will be challenged. Refer to Challenge Users section for more information. *\support
CONFBYPASSUSERS (Optional) Users which will be bypassed. Refer to Bypass Users section for more information. *\support

Logging

The LoginTC Windows Logon and RDP Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. LoginTC Windows Logon and RDP Connector event logs are helpful in debugging issues.

Passthrough

There are several ways to specify which set of users should be challenged with LoginTC second-factor authentication, and which ones will not. This is often useful when testing and when rollying out a deployment to minimize the impact on others or to maintain operational access to the hosts. Bypass settings are configured on each host where the LoginTC Windows Logon and RDP Connector is installed.

Challenge Groups

The ChallengeGroups attribute is a comma delimited of groups for which all member users will be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user is not part of any challenge group, they are logged in without LoginTC second factor authentication.

Instructions to set ChallengeGroups attribute:

  1. Launch regedit (Registry Editor).
  2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Cyphercor > LoginTC Windows Logon Connector
  3. Click to modify the ChallengeGroups field
  4. Enter a comma delimited list of challenge groups
Format Meaning Example
*\groupname All groups part of any domain that have name groupname. *\RemoteMFAUsers
DOMAIN\groupname Groups with name groupname belonging to DOMAIN domain. DOMAIN\RemoteMFAUsers
groupname Local group with name groupname. RemoteMFAUsers
  1. Click OK to save changes.

Bypass Groups

The BypassGroups attribute is a comma delimited of groups for which all member users will not be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user is not part of any bypass group, they are challenged with LoginTC second factor authentication.

Instructions to set ChallengeGroups attribute:

  1. Launch regedit (Registry Editor).
  2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Cyphercor > LoginTC Windows Logon Connector
  3. Click to modify the BypassGroups field
  4. Enter a comma delimited list of challenge groups
Format Meaning Example
*\groupname All groups part of any domain that have name groupname. *\RemoteMFAUsers
DOMAIN\groupname Groups with name groupname belonging to DOMAIN domain. DOMAIN\RemoteMFAUsers
groupname Local group with name groupname. RemoteMFAUsers
  1. Click OK to save changes.

Use Active Directory Groups

Note: Some groups cannot be retrieved by the LoginTC Windows Logon Connector like Remote Interactive Logon, High Mandatory Level and similar Special Identities and non-Active Directory based groups. Recommend using only groups defined and managed in Active Dircectory.

Challenge Users

The ChallengeUsers attribute is a comma delimited of users which will be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user does not match any challenge user, they are logged in without LoginTC second factor authentication.

Instructions to set ChallengeUsers attribute:

  1. Launch regedit (Registry Editor).
  2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Cyphercor > LoginTC Windows Logon Connector
  3. Click to modify the ChallengeUsers field
  4. Enter a comma delimited list of challenge users, see format:
Format Meaning Example
*\username All accounts, local or on any domain that have username username. *\john.doe
.\username Local account with username username. .\john.doe
DOMAIN\username Domain account with username username belonging to DOMAIN domain. CORP\john.doe
  1. Click OK to save changes.

Bypass Users

The BypassUsers attribute is a comma delimited of users which will not be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user does not match any bypass user, they are challenged with LoginTC second factor authentication.

Instructions to set BypassUsers attribute:

  1. Launch regedit (Registry Editor).
  2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Cyphercor > LoginTC Windows Logon Connector
  3. Click to modify the BypassUsers field
  4. Enter a comma delimited list of challenge users, see format:
Format Meaning Example
*\username All accounts, local or on any domain that have username username. *\john.doe
.\username Local account with username username. .\john.doe
DOMAIN\username Domain account with username username belonging to DOMAIN domain. CORP\john.doe
  1. Click OK to save changes.

FAQ

Which Windows logon prompts does LoginTC protect?

The LoginTC Windows Logon and RDP Connector protects:

  • Remote Desktop Logins
  • Local Logins

The LoginTC Windows Logon and RDP Connector does not protect:

  • “Run as administrator”
  • “Run as different user”
  • Noninteractive logins (e.g., batch process)

Does Windows logon work in Safe Mode?

By default, Windows disables all credential providers except the built-in password credential provider when in Safe Mode. If you wish to enable LoginTC in Safe Mode, you can do so by following these instructions:

  1. Open the Registry Editor
  2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Authentication > Credential Providers
  3. Create a key DWORD entry named ProhibitFallbacks with the value 1

Troubleshooting

Email Support

For any additional help please email support@cyphercor.com. Expect a speedy reply.