Remote Desktop Manager 2FA
The LoginTC Windows Logon and RDP Connector integrates natively with Windows Server and Windows Client operating systems to add two-factor authentication for both remote desktop and local logins. Show If you would like to protect your RD Web Access then you may be interested in the: LoginTC RD Web Access Connector. If you would like to protect just your RD Gateway without protecting RD Web Access then you may be interested in the: LoginTC RD Gateway with RADIUS Connector.
Your organization requires the Business or Enterprise plan to use the LoginTC Windows Logon and RDP Connector. See the Pricing page for more information about subscription options. User ExperienceAfter entering the username and password, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.
Video Instructions
Supported Windows Server versions:
Support Windows Client versions:
Additional Requirements:
Create ApplicationStart by creating a LoginTC Application for your Windows Logon and RDP deployment. An Application represents a service (e.g. RDP access to your Windows infrastructure) that you want to protect with LoginTC. Create a LoginTC Application in LoginTC Admin, follow Create Application Steps. If you have already created a LoginTC Application for your Windows Logon and RDP deployment, then you may skip this section and proceed to Installation. Windows InstallerInstall the LoginTC Windows Logon and RDP Connector.
The LoginTC Windows Logon and RDP Connector is now installed. It will start protecting logins once the Windows host is restarted. UsageYour users may login in several ways. This chapter details the user experience for each interaction. When a user launches their RDP client they will be presented with the standard login sequence. After successfully logging in with their username and password, they are shown the LoginTC login page on the remote host. Vadious login options for the second-factor LoginTC authentication are presented. Once successfully authenticated with LoginTC the user is logged into the host. Local LogonAfter successfully logging in with their username and password, they are shown the LoginTC login page on the local host. Vadious login options for the second-factor LoginTC authentication are presented. Once successfully authenticated with LoginTC the user is logged into the host. Offline LogonIf the host does not have internet connectivity then after successfully logging in with their username and password, the user is shown options for logging in offline. There are two methods of offline authentication:
Offline methods are online available if the user has logged in online at least once. If their token is revoked and re-issued, QR Scan Authentication will only be displayed after again logging in online at least once.
Offline authenticaton methods must be enabled in the authentication Policy. Navigate to Policies then your policy (or Organization Policy for global coverage). Scroll down to Offline Authentication to enable. UAC (Run as administrator)When LoginTC for UAC is enabled, the user requesting elevated privileges is prompted to authenticate with LoginTC:
NOTE: A LoginTC prompt is not prompted for the following scenarios: Run as different user; commandlets such as Enter-PSSession, Invoke-Command, and Get-Credential Command line installationYou may also install the LoginTC Windows Logon and RDP Connector from the Command Prompt. This is particularly useful when deploying to a large number of machines. To install from the Command Prompt:
LoggingThe LoginTC Windows Logon and RDP Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. LoginTC Windows Logon and RDP Connector event logs are helpful in debugging issues. PassthroughThere are several ways to specify which set of users should be challenged with LoginTC second-factor authentication, and which ones will not. This is often useful when testing and when rollying out a deployment to minimize the impact on others or to maintain operational access to the hosts. Bypass settings are configured on each host where the LoginTC Windows Logon and RDP Connector is installed. Challenge GroupsThe ChallengeGroups attribute is a comma delimited of groups for which all member users will be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user is not part of any challenge group, they are logged in without LoginTC second factor authentication. Instructions to set ChallengeGroups attribute:
Bypass GroupsThe BypassGroups attribute is a comma delimited of groups for which all member users will not be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user is not part of any bypass group, they are challenged with LoginTC second factor authentication. Instructions to set ChallengeGroups attribute:
Note: Some groups cannot be retrieved by the LoginTC Windows Logon Connector like Remote Interactive Logon, High Mandatory Level and similar Special Identities and non-Active Directory based groups. Recommend using only groups defined and managed in Active Dircectory. Challenge UsersThe ChallengeUsers attribute is a comma delimited of users which will be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user does not match any challenge user, they are logged in without LoginTC second factor authentication. Instructions to set ChallengeUsers attribute:
Bypass UsersThe BypassUsers attribute is a comma delimited of users which will not be challenged with LoginTC second factor authentication. When either ChallengeGroups or ChallengeUsers is specified both BypassGroups and BypassUsers is ignored. If the user does not match any bypass user, they are challenged with LoginTC second factor authentication. Instructions to set BypassUsers attribute:
FAQThe LoginTC Windows Logon and RDP Connector protects:
The LoginTC Windows Logon and RDP Connector does not protect:
Does Windows logon work in Safe Mode?By default, Windows disables all credential providers except the built-in password credential provider when in Safe Mode. If you wish to enable LoginTC in Safe Mode, you can do so by following these instructions:
Does the LoginTC Windows Logon and RDP Connector support Microsoft/Live accounts?No, the connector does not support Microsoft/Live accounts. Can the installer be deployed automatically?Yes, commandline installation is supported: Command line installation An end to end sample guide on deploying using Group Policy: Automatic LoginTC Windows Logon and RDP Connector Deployment UpgradeTo upgrade the LoginTC Windows Logon and RDP Connector, first uninstall the previous version and then install the newer version. UninstallationTo uninstall the LoginTC Windows Logon and RDP Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC Windows Logon and RDP Connector in the list and follow the prompts. You may also uninstall the LoginTC Windows Logon and RDP Connector from the Command Prompt. This is particularly useful when deploying to a large number of machines. To uninstall from the Command Prompt:
NOTE: The msi file has the be the same version that’s installed. TroubleshootingYou may also be interested in our: |