Some issues with vSphere we need to address for AuthLite 2-factor enforcement:

  • vSphere is not affected by logon group policies applied to its server, because it uses its own LDAP connection to authenticate to the DCs. 
  • It also does a static lookup of group membership over LDAP, so we cannot ask it to check for the AuthLite 2-factor Tag groups to do enforcement.
  • Lastly, its LDAP authentication method requires some additional configuration in order for the DC to process it properly as a 2-factor logon.

Configuration for vSphere 2-factor logon enforcement:

  • Set up AuthLite users, placing them into the AuthLite users group, and assigning one or more tokens
  • Enforce blocking 1-factor logon of AuthLite users to your vSphere servers, by adding the vSphere servers by name or IP to the Forced 2-factor Computers list in AuthLite.  This is the least favored way to enforce, but we have no other option because group policy is not relevant to vSphere.
  • Make sure "Treat LDAP client IP as the authentication source" is selected.
  • Add the vSphere servers to the "LDAP Permissions" list in AuthLite Configuration.  The default timeout of 5 seconds should be sufficient.
  • Wait 20 minutes for all DCs to synchronize with the new AuthLite settings

To authenticate to the vSphere client as a 2-factor user, you must do the following:

  • Uncheck the "Use Windows session credentials" checkbox
  • In the username field, enter the NETBIOS domain name and a backslash,
  • If you are using a YubiKey, now press the button to fill in the OTP after the backslash.
  • If you are using an OATH token, enter your username, followed by a dash, and then the current OATH OTP digits
  • Enter your AD password as normal
  • Click "Login"