Use Cases

Setting up Windows passwordless login

You can use Windows login - passwordless so that users can sign on to their Windows computer without a password.

Before you begin

To set up and use the PingID integration for passwordless Windows login, the following system requirements must be met:

  • Microsoft Active Directory is running on Windows Server 2016 or later

  • Users' computers must be running Windows 10 (64-bit), and must support TPM 2.0.

You must have:

  • Admin rights for the domain controller

  • A PingOne account

  • A PingID account

Users must have the PingID mobile app installed on their devices and must have already paired the device.

Creating a PingOne environment and connecting it to a PingID account

About this task

Create a new environment in PingOne and connect it to an existing PingID account (to allow syncing of the PingID data) or to a newly-created PingID account.

You must create a new PingOne environment even if you have an existing environment because you cannot connect a PingID account to an existing PingOne environment.

Steps

  1. In the PingOne admin console, click Add Environment.

  2. Select Build your own solution.

  3. Hover over the PingOne SSO element and click Select.

  4. Hover over the PingID element and click Select.

  5. Click Next.

  6. When you are presented with the two options for PingID, you can either:

    Choose from:

    • Connect to an existing PingID account.

      After you select this option, enter the credentials that you use for the PingID account.

    • Create a new PingID account.

  7. Click Next.

  8. Enter a name for the new environment.

  9. Select the relevant license.

  10. Click Finish.

Configuring identity store provisioners

About this task

To use passwordless Windows login, user attributes must be mapped to attributes in PingOne.

If you have been using PingFederate with the PingID connector for user provisioning, you must make the transition to using PingFederate with the PingOne Provisioning connector for user provisioning.

You can find more information on using this integration in Provisioning connector in the PingOne Integration Kit documentation.

When mapping attributes, keep in mind that the ObjectSID attribute must be mapped to a unique attribute in PingOne. You can find more information on passing binary attributes in Passing binary attributes to PingOne in the PingOne Intergration Kit documentation..

Creating an issuance certificate in PingOne

About this task

The PingID Windows login - passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will be signing on. This requires that you create an issuance certificate in PingOne and then publish the certificate.

Steps

  1. Create an issuance certificate in PingOne.

    Learn more in Adding a certificate and key pair in the PingOne documentation.

  2. Publish the issuance (CA) certificate to Active Directory (AD):

    certutil -dspublish -f  <CA certificate filename>  NTAuthCA
  3. To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list:

    certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>"
  4. Import the CA certificate in the Group Policy Management Console (GPMC) to publish the CA certificate to end users' computers:

    1. Open the Group Policy Management Console (GPMC).

    2. Locate the relevant domain.

    3. Locate the group policy that you’ll be using.

    4. In the Public Key Policies section, select Trusted Root Certification Authorities and import the CA certificate.

Creating an authentication policy (Windows passwordless)

Steps

  1. In the PingOne admin console, open the environment you are using for Windows login - passwordless.

  2. Click the Identities icon.

  3. Click Attributes.

  4. In the list of attributes, locate the PingOne attribute that you mapped to ObjectSID.

  5. Click the Pencil () icon to edit the attribute properties.

  6. Select the Enforce Unique Valuescheck box. Confirm the choice if prompted to do so.

  7. Click Save.

  8. Click the Experiences icon.

  9. Click Authentication Policies.

  10. Click Add Policy.

    Result:

    The policy definition page opens.

  11. Enter a name for the policy.

  12. For Step Type, select Windows Login Passwordless.

  13. In the Match Attributes list, select the attribute that you mapped to ObjectSID.

    This list includes any attributes that you have specified as unique by selecting the Enforce Unique Values option.

  14. Optional: Select the Offline Mode option if you want to allow users to sign on when PingOne or PingID are not available.

  15. Click Save.

Creating and configuring a passwordless Windows login application in PingOne

About this task

After creating the authentication policy, you can now create the application for passwordless Windows login:

Steps

  1. Go to the PingOne admin console and open the environment that you are using for Windows login - passwordless.

  2. Click the Connections icon.

  3. Click Applications.

  4. Click the icon to add a new application.

  5. For the Application Type, select Native App.

  6. Click Configure.

  7. Enter a name and description for the application. Click Next.

  8. Enter the redirect URL, winlogin.pingone.com://callbackauth, and then click Save and Continue.

    You can skip the Grant Resource Access and Attribute Mapping steps.

  9. In the Certificated Based Authentication section, click the Enabled toggle.

    Screen capture of the Certificate Based Authentication section. The Enable toggle is selected.
  10. Select an existing issuance certificate.

  11. Go to the application’s Policies tab and drag the passwordless policy that you created from the All Policies list to the Applied Policies list.

    Screen capture of the Policies tab. Applied Policy has passwordless_policy added to it

Generating a KDC certificate

About this task

If there is not yet a certificate for the KDC server that you will be using, you will need to generate one.

The KDC certificate is used as part of the Kerberos PKINIT mutual authentication mechanism. If you already have a KDC certificate installed on your Active Directory Domain Controllers, you don’t need to perform this task

Steps

  1. Create an .inf file containing the following information:

    [newrequest]
          subject = "CN=<hostname>"
          KeyLength = 2048
          MachineKeySet = TRUE
          Exportable = FALSE
          RequestType = PKCS10
          SuppressDefaults = TRUE
          [Extensions]
          ;Note 2.5.29.17 is the OID for a SAN extension.
          2.5.29.17 = "{text}"
          continue = "dns=<DNS hostname>"

    For more information on the contents of .inf files for the certreq command, see Certreq in the Microsoft documentation.

  2. Generate a certificate signing request from your KDC server by running certreq -new '<path to the .inf file>' 'kdc.req'.

  3. In the PingOne admin console, open the application that you created for passwordless Windows login.

  4. Click the Configuration tab of the application.

  5. Scroll down to the Certificate Based Authentication section.

    Screen capture of the Certificate Based Authentication section
  6. For the KDC certificate signing request that you created previously with the certreq command:

    1. Set the number of days until the certificate should expire.

    2. Click Upload request and Issue Certificate to have the certificate issued.

      The KDC certificate does not have to be signed by the issuance certificate that you created with PingOne. Any valid certification path will work.

  7. Install the KDC certificate on your server:

    certreq -accept -machine -f  <KDC certificate filename>

Installing the Windows login - passwordless integration on client computers

Before you begin

  • To use the Windows login - passwordless feature, users' computers must be running Windows 10 and must support TPM 2.0.

  • The first time that a user carries out passwordless Windows login, they must be online and connected to the organizational network because certificate enrollment requires a connection to Active Directory. Afterward, there is no need for a connection to the network, and authentication can be carried out online or offline for as long as the certificate is valid.

About this task

To install the integration for Windows login - passwordless on your users' computers using the UI-based method:

Steps

  1. Run the provided executable, and when the welcome page is displayed, click Next.

    Screen capture of the Setup -Windows Login - Passwordless window that opens after you run the executable
  2. Accept the license agreement and click Next.

    Screen capture of the EULA page with I accept the agreement selected
  3. The settings that must be entered on the Passwordless Sign-on Settings page should be copied from the Configuration tab of the application that you created for Windows login - passwordless in PingOne. If your organization uses a proxy, click Configure Proxy. Otherwise, click Next.

    Screen capture of the Windows login - passwordless Password Sign-on Settngs page
  4. If you clicked Configure Proxy in the previous step, enter the proxy information, click Apply, and when you are returned to the Passwordless Sign-on Settings page, click Next.

    Screen capture of the Windows login - passwordsless Proxy Configuration page
  5. When the Ready to Install page is open, click Install to start the installation.

    Screen capture of the Windows login - passwordless Ready to Install page

Using the PowerShell script for setting up Windows login - passwordless

About this task

You can use the Configure-Passwordless.ps1 PowerShell script to quickly perform the steps required to set up Windows login - passwordless.

Only use this for purposes such as informal testing or demonstrations. Do not use for a production instance.

Steps

  • Run Configure-Passwordless.ps1.

    The script carries out the following steps:

    • Creates and installs the CA certificate, also to the group policy

    • Sets externalId to be a unique attribute

    • Creates the authentication policy

    • Creates and configures the passwordless Windows login application

    • Creates a KDC certificate: request creation, issuing of certificate from request, installation of certificate

    You can download the script from GitHub.

Troubleshooting Windows login - passwordless

If you encounter any issues with Windows login - passwordless, review the information that is recorded in the log files and the event information that is displayed in the Audit window in PingOne.

You can find detailed activity information regarding Windows login - passwordless in the log files that are located in the logs folder under the folder that you specified during installation (the default location is C:\Program Files\Ping Identity\PingID\Windows Passwordless\logs). To include a greater level of detail in the log files, contact customer support for instructions on how to set the logging level to Debug.

For some of the log files, there is no mechanism to limit the file size. You shouldn’t leave the logging at Debug level for an extended period of time.

The Audit window in PingOne includes information on events, such as certificate creation and user authentication. You can find more information in Audit section in the PingOne documentation.