Frequently Asked Questions
General
Do I need to install anything on my workstations or end-user machines?
No. Authnull Agentless AD runs only on the Domain Controller. There is nothing to install on workstations, laptops, or any other machine in your environment.
Does Authnull Agentless AD work with all versions of Active Directory?
Authnull Agentless AD works with Active Directory on Windows Server 2016, 2019, and 2022. It does not require any specific AD functional level.
Does Authnull Agentless AD work with Azure AD / Entra ID?
Authnull Agentless AD is designed for on-premises Active Directory. It does not currently support Azure AD or Entra ID hybrid join scenarios where authentication is handled by the cloud.
Can I run it on a read-only Domain Controller (RODC)?
No. RODCs do not process authentication — they forward it to a writable DC. Install Authnull Agentless AD on your writable Domain Controllers.
Do I need to install it on every DC?
Yes, if you want complete coverage. Install the sensor on every Domain Controller in your environment. Authentication requests are processed by whichever DC the client reaches, so a DC without the sensor is a gap in coverage.
What happens if some DCs have the sensor and others don't?
Only authentication events handled by a DC running the sensor will be evaluated for MFA. Any DC without the sensor is an uncovered path. For complete enforcement, install the sensor on every writable Domain Controller in your environment.
Authentication & MFA
Which authentication protocols does Authnull Agentless AD cover?
| Protocol | Covered |
|---|---|
| Kerberos (AS-REQ / TGT) | ✓ |
| Kerberos (TGS-REQ / service tickets) | ✓ (WinDivert mode) |
| NTLM | ✓ |
| RDP (Network Level Authentication) | ✓ |
| SMB (domain user, Kerberos path) | ✓ via Kerberos ticket interception |
| LDAP simple bind | ✓ (event log + WFP) |
Does Authnull Agentless AD protect SMB file share access?
Yes, for domain user access. When a domain user accesses a network share, Windows requests a Kerberos service ticket from the DC first — Authnull Agentless AD intercepts that ticket request before the SMB connection is ever opened. No ticket means no access.
Two scenarios are not covered without an endpoint agent:
- Local account SMB — authentication goes directly between workstations, the DC is not involved
- Pre-issued tickets — if an attacker already holds a valid Kerberos service ticket from a previous session, the DC is not consulted again until that ticket expires
How does enforcement actually work?
Authnull Agentless AD uses a combination of mechanisms depending on the protocol:
- Windows Security Event Log — monitors authentication events for Kerberos and NTLM
- Windows Filtering Platform (WFP) — network-level enforcement for LDAP and SMB
- SSP DLL — inline NTLM interception at the LSASS level
- WinDivert — packet-level interception for Kerberos TGS and service ticket requests
In monitor mode all mechanisms are passive. In enforce mode the relevant mechanism holds the authentication until the MFA verdict is returned.
Will users get a push notification every time they access a file share or network resource?
No. After a user approves MFA during login, their approval is cached for a configurable window (default: 2 minutes, configurable). Background activity — accessing file shares, Group Policy refresh, Kerberos ticket renewals — does not trigger additional push notifications during that window.
What happens if a user loses their phone or can't approve MFA?
Set unenrolled_action: allow (the default) to let users without an enrolled device through. For users who have a device but can't access it temporarily, an admin can whitelist their username or source IP in the local policy file to bypass MFA until they recover access.
What happens if the Authnull backend is down?
The sensor applies the fallback_action from your config (allow or deny). The default is allow — users can still log in even if the backend is unreachable. A circuit breaker prevents the sensor from hammering an unreachable backend and recovers automatically when connectivity is restored.
Can Authnull Agentless AD enforce MFA for service accounts?
Service accounts can be excluded from MFA using the local policy file. Add them to the service account allowlist and they'll be fast-pathed without any backend call or MFA challenge. This is recommended for automated processes and scheduled tasks.
Does Authnull Agentless AD intercept machine account authentication?
No. Authentication events from machine accounts (usernames ending in $) are filtered out and never enter the MFA pipeline.
What happens if the user's phone has no internet connection?
If the user cannot receive or respond to a push notification, the MFA challenge will time out. The outcome depends on your fallback_action setting — allow lets the authentication through, deny blocks it. Admins can temporarily whitelist affected users via the local policy file.
Performance & Reliability
What's the impact on login performance?
In monitor mode: negligible — the sensor processes events asynchronously and has no impact on login latency.
In enforce mode with WinDivert interception: the Kerberos ticket is held while MFA runs. A typical push notification approval takes 3–10 seconds. This latency is by design — the ticket cannot be issued until the user responds.
Backend policy checks (without MFA) add approximately 100–300ms of latency.
What happens during high authentication load?
The sensor processes events concurrently. Per-user deduplication prevents multiple auth events for the same user from all entering the pipeline simultaneously. The circuit breaker protects against backend overload. In the worst case (backend unreachable), the fallback action is applied immediately without any added latency.
Is the sensor a single point of failure for my domain?
In monitor mode: no — the sensor is fully passive and has no impact on AD functionality.
In enforce mode: if the sensor service stops unexpectedly, WFP rules are cleaned up on shutdown and WinDivert releases held packets. Authnull Agentless AD is designed to fail open rather than take down authentication for the domain.
Security
Can an attacker bypass Authnull Agentless AD by going around the DC?
No. Every Kerberos and NTLM authentication in an Active Directory domain must go through a Domain Controller. There is no way to authenticate against AD without reaching a DC. If Authnull Agentless AD is installed on all DCs, there is no bypass path.
Does Authnull Agentless AD store credentials or authentication data?
No. The sensor processes authentication events in memory and does not store credentials, password hashes, or session tokens. Event metadata (username, source IP, timestamp, protocol) is logged to the Authnull backend for audit purposes.
What permissions does the sensor service need?
The sensor requires:
- Local Administrator on the DC (to read the Security Event Log and manage WFP rules)
- Outbound HTTPS to the Authnull backend
It does not require Domain Admin privileges.
Can the local policy file be used to permanently whitelist a user?
Yes. The local policy YAML supports permanent allow rules by username, source IP, or combination. These bypass the backend entirely and never trigger MFA. Use this carefully — a whitelisted user or IP bypasses all enforcement.
Installation & Operations
How do I update the sensor?
- Stop the service:
sc.exe stop AuthnullDCSensor - Replace the
AuthnullDCSensor.exebinary - Start the service:
sc.exe start AuthnullDCSensor
Configuration is preserved in sensor.yml — no changes needed unless new config options are required.
How do I uninstall Authnull Agentless AD?
sc.exe stop AuthnullDCSensor
sc.exe delete AuthnullDCSensor
Then remove the binary and C:\ProgramData\Authnull\ if no longer needed. Removing the service has no impact on Active Directory — it leaves no residual configuration behind.
Does Authnull Agentless AD log to SIEM?
The sensor logs to the Windows Application Event Log and optionally to a file. Both can be ingested by standard SIEM collectors (Splunk, Elastic, Sentinel). The Authnull backend also maintains a full audit log of every authentication event, verdict, and enforcement action accessible from the dashboard.
Is there a way to test enforcement without affecting real users?
Yes. Run in mode: monitor and watch the logs to confirm which events are being detected and what verdicts would be applied. You can also use the local policy file to scope enforcement to a specific test user or source IP while leaving all other users in pass-through mode.