Last Updated: December 20, 2024
The LoginTC Windows Logon and RDP Connector integrates natively with Windows Server and Windows Client operating systems. Local access and remote access can both be protected with LoginTC MFA.
LoginTC MFA works online and offline, and can be configured to control which users or groups are challenged with MFA.
Explore how LoginTC integrates with Windows Logon and RDP below.
Subscription Requirement
Your organization requires the Business or Enterprise plan to use the LoginTC Windows Logon and RDP Connector. Explore Pricing Plans
After entering the username and password, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.
Looking to protect other Microsoft services with MFA? See related connectors below.
How MFA for Windows Works Architecture
Prefer Reading a PDF?
Download a PDF file with configuration instructions:
Supported Windows Server versions:
Supported Windows Client versions:
Additional Requirements:
Non-x64 architecture
LoginTC Windows Logon and RDP Connector is only compatible with x64 architecture systems. It will not run on systems, for example, that use ARM processors.
Start by creating a LoginTC Application for your Windows 2FA. An Application represents a service (e.g. RDP access to your Windows infrastructure) that you want to protect with LoginTC.
Create a LoginTC Application in LoginTC Admin, follow Create Application Steps.
If you have already created a LoginTC Application for your Windows 2FA, then you may skip this section and proceed to Installation.
Normalize Usernames
Windows usernames are in the form “CORP\john.doe”, while in the LoginTC Admin Panel it is generally more convenient to simply use “john.doe”.
Configure Normalize Usernames
from the Application settings by navigating to Applications > Your Application > Settings.
Select Yes, Normalize Usernames
scroll down and click Update
.
Install the LoginTC Windows Logon and RDP Connector.
Protecting Local Logons
Note: After restarting the Windows host the LoginTC Windows Logon and RDP Connector will be fully installed and operational. See Which Windows logon prompts does LoginTC protect? for more information.
The LoginTC Windows Logon and RDP Connector is now installed. It will start protecting logins once the Windows host is restarted.
UsageYour users may login in several ways. This chapter details the user experience for each interaction.
When a user launches their RDP client they will be presented with the standard login sequence. After successfully logging in with their username and password, they are shown the LoginTC login page on the remote host. Vadious login options for the second-factor LoginTC authentication are presented. Once successfully authenticated with LoginTC the user is logged into the host.
After successfully logging in with their username and password, they are shown the LoginTC login page on the local host. Vadious login options for the second-factor LoginTC authentication are presented. Once successfully authenticated with LoginTC the user is logged into the host.
If the host does not have internet connectivity then after successfully logging in with their username and password, the user is shown options for logging in offline.
There are a few methods of offline authentication:
Must login online prior to offline methods being available
Offline methods are online available if the user has logged in online at least once. For methods that have been revoked then re-issued, they will be usable once the user logs in at least once online.
Policies
Offline authentication methods must be enabled in the relevant policy, see: Offline Authentication.
When LoginTC for UAC is enabled, the user requesting elevated privileges is prompted to authenticate with LoginTC:
UAC Limitations
A LoginTC prompt is not prompted for the following scenarios: Run as different user; commandlets such as Enter-PSSession
, Invoke-Command
, and Get-Credential
. Security Keys are not a supported authentication method.
Enforce a policy to allow a Windows device to be remembered for specified duration until the user signs out of their machine, reboots, logs in offline or changes networks. This feature applies to console unlock logons.
Remembered devices also works for offline logons.
Policies
Remembered Devices must be enabled in the authentication Policy. Navigate to Policies then your policy (or Organization Policy for global coverage). Scroll down to Remembered Devices to enable.
You may also install the LoginTC Windows Logon and RDP Connector from the Command Prompt. This is particularly useful when deploying to a large number of machines.
To install from the Command Prompt:
msiexec /qn /i logintc-windows-logon-connector-1.2.0.0.msi CONFLOGINTCAPIHOST="cloud.logintc.com" CONFLOGINTCAPPLICATIONID="YOUR_APPLICATION_ID" CONFLOGINTCAPPLICATIONAPIKEY="YOUR_APPLICATION_API_KEY" CONFENABLERDP="1" CONFENABLECONSOLE="0" CONFENABLEUAC="0" CONFBYPASSUSERS=".\support,.\localadmin"
Flag | Meaning | Example |
---|---|---|
CONFLOGINTCAPIHOST |
The LoginTC API host | cloud.logintc.com |
CONFLOGINTCAPPLICATIONID |
The 40-character Application ID (found in the Admin Panel) | 5de7c5b82a6972... |
CONFLOGINTCAPPLICATIONAPIKEY |
The 64-character Application API Key (found in the Admin Panel) | 5R2EgzXBOHx3RN... |
CONFENABLERDP |
1 to enable LoginTC for remote (RDP) logins, or 0 for all logins |
1 |
CONFENABLECONSOLE |
1 to enable LoginTC for console logins (or 0 to disable) |
0 |
CONFENABLEUAC |
1 to enable LoginTC for UAC (or 0 to disable) |
0 |
CONFCHALLENGEGROUPS |
(Optional) Groups whose members will be challenged. Refer to Challenge Groups section for more information. | RemoteMFAUsers |
CONFBYPASSGROUPS |
(Optional) Groups whose members will be bypassed. Refer to Bypass Groups section for more information. | RemoteMFAUsers |
CONFCHALLENGEUSERS |
(Optional) Users which will be challenged. Refer to Challenge Users section for more information. | *\support |
CONFBYPASSUSERS |
(Optional) Users which will be bypassed. Refer to Bypass Users section for more information. | *\support |
The LoginTC Windows Logon and RDP Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. LoginTC Windows Logon and RDP Connector event logs are helpful in debugging issues.
Passthrough MFAThere are several ways to specify which set of users should be challenged with LoginTC second-factor authentication, and which ones will not. This is often useful when testing and when rolling out a deployment to minimize the impact on others or to maintain operational access to the hosts. Bypass settings are configured on each host where the LoginTC Connector is installed for your Windows multi-factor authentication (2FA/MFA).
The ChallengeGroups
attribute is a comma delimited of groups for which all member users will be challenged with LoginTC second factor authentication. When either ChallengeGroups
or ChallengeUsers
is specified both BypassGroups
and BypassUsers
is ignored. If the user is not part of any challenge group, they are logged in without LoginTC two factor authentication (2FA/MFA).
Using Active Directory Groups
Note: Some groups cannot be retrieved by the LoginTC Windows Logon Connector like Remote Interactive Logon
, High Mandatory Level
and similar Special Identities and non-Active Directory based groups. Recommend using only groups defined and managed in Active Directory.
Offline Active Directory Groups
Note: Security identifiers (SIDs) should be used for Challenge and Bypass groups instead of group names when the machine is expected to be used offline (or when the Active Directory domain controllers are expected to be unreachable).
Instructions to set ChallengeGroups
attribute:
Format | Meaning | Example |
---|---|---|
*\groupname |
All groups part of any domain that have name groupname. | *\RemoteMFAUsers |
DOMAIN\groupname |
Groups with name groupname belonging to DOMAIN domain. | DOMAIN\RemoteMFAUsers |
groupname |
Local group with name groupname. | RemoteMFAUsers |
SID |
Group security identifiers (SIDs) | S-1-5-21-... |
The BypassGroups
attribute is a comma delimited of groups for which all member users will not be challenged with LoginTC second factor authentication. When either ChallengeGroups
or ChallengeUsers
is specified both BypassGroups
and BypassUsers
is ignored. If the user is not part of any bypass group, they are challenged with LoginTC second factor authentication.
Using Active Directory Groups
Note: Some groups cannot be retrieved by the LoginTC Windows Logon Connector like Remote Interactive Logon
, High Mandatory Level
and similar Special Identities and non-Active Directory based groups. Recommend using only groups defined and managed in Active Directory.
Offline Active Directory Groups
Note: Security identifiers (SIDs) should be used for Challenge and Bypass groups instead of group names when the machine is expected to be used offline (or when the Active Directory domain controllers are expected to be unreachable).
Instructions to set ChallengeGroups
attribute:
Format | Meaning | Example |
---|---|---|
*\groupname |
All groups part of any domain that have name groupname. | *\RemoteMFAUsers |
DOMAIN\groupname |
Groups with name groupname belonging to DOMAIN domain. | DOMAIN\RemoteMFAUsers |
groupname |
Local group with name groupname. | RemoteMFAUsers |
SID |
Group security identifiers (SIDs) | S-1-5-21-... |
The ChallengeUsers
attribute is a comma delimited of users which will be challenged with LoginTC second factor authentication. When either ChallengeGroups
or ChallengeUsers
is specified both BypassGroups
and BypassUsers
is ignored. If the user does not match any challenge user, they are logged in without LoginTC two factor authentication (2FA/MFA).
Instructions to set ChallengeUsers
attribute:
Format | Meaning | Example |
---|---|---|
*\username |
All accounts, local or on any domain that have username username. | *\john.doe |
.\username |
Local account with username username. | .\john.doe |
DOMAIN\username |
Domain account with username username belonging to DOMAIN domain. | CORP\john.doe |
The BypassUsers
attribute is a comma delimited of users which will not be challenged with LoginTC second factor authentication. When either ChallengeGroups
or ChallengeUsers
is specified both BypassGroups
and BypassUsers
is ignored. If the user does not match any bypass user, they are challenged with LoginTC two factor authentication (2FA/MFA).
Instructions to set BypassUsers
attribute:
Format | Meaning | Example |
---|---|---|
*\username |
All accounts, local or on any domain that have username username. | *\john.doe |
.\username |
Local account with username username. | .\john.doe |
DOMAIN\username |
Domain account with username username belonging to DOMAIN domain. | CORP\john.doe |
The LoginTC Windows two factor authentication (2FA/MFA) protects:
The LoginTC Windows two factor authentication (2FA/MFA) does not protect:
By default, Windows disables all credential providers except the built-in password credential provider when in Safe Mode. If you wish to enable LoginTC in Safe Mode, you can do so by following these instructions:
ProhibitFallbacks
with the value 1
No, the connector does not support Microsoft/Live accounts.
Yes, commandline installation is supported: Command line installation
An end to end sample guide on deploying using Group Policy: Automatic LoginTC Windows Logon and RDP Connector Deployment.
UpgradeTo upgrade the LoginTC Windows Logon and RDP Connector, first uninstall the previous version and then install the newer version.
UninstallationTo uninstall the LoginTC Windows Logon and RDP Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC Windows Logon and RDP Connector in the list and follow the prompts.
You may also uninstall the LoginTC Windows Logon and RDP Connector from the Command Prompt. This is particularly useful when deploying to a large number of machines.
To uninstall from the Command Prompt:
msiexec /uninstall logintc-windows-logon-connector-1.0.3.0.msi /norestart /quiet
NOTE: The msi file has to be the same version that’s installed.
Troubleshooting
Email Support
For any additional help please email support@cyphercor.com. Expect a speedy reply.
You may also be interested in our: