PingID Administration Guide

Installing the PingID integration for Windows login using UI wizard

Before you begin

Adding multi-factor authentication (MFA) is a procedure that carries the risk of being locked out of the machine. See Prerequisites for installing PingID integration for Windows login before proceeding.

About this task

To install the PingID integration for Windows login using the UI wizard:

Steps

  1. On the PingID Downloads page, go to Integrations, and download and extract PingID for Windows login.

    If your version of Windows login is more than two versions behind the current version listed on the downloads page, you must uninstall your current version of PingID for Windows login before you install the new version.

  2. Double-click the PingIDWindowsLogin<version>.exe file to launch the setup wizard, and then click Next.

    A screen capture of the PingID Windows login file with Open highlighted.

  3. Review the Software License Agreement, click I accept the agreement, and then click Next.

    A screen capture of the Setup - PingID for Windows window with the preferred integration chosen as PingID through PingID.

  4. In the Organization Information window, select either:

    Choose from:

    • PingID: Integrate PingID directly with Windows login.

    • PingID through PingFederate: Integrate PingID with Windows login through PingFederate.

  5. In the Organization Information window, click Browse, and then select the pingid.properties file that you want to use.

    When integrating with PingFederate, for security reasons it is recommended that you use the Windows and Mac login PingID properties file in both the PingID Adapter, and in the Windows Login installation.
    A screen capture of the Setup - PingID for Windows window showing the Organization Information step with a field to upload your organization’s PingID properties file.

  6. If your connection is behind a proxy: click Configure Proxy and then configure the options relevant for your proxy. If you prefer to have the communication with PingFederate not go through the proxy, click the Bypass proxy for PingFederate communications check box.

    A screen capture of the Proxy Configuration in Windows login installation.

  7. For PingID through PingFederate integration only: In the base URL field, enter the PingFederate base URL, and then click Next.

    A screen capture of the Setup - PingID for Windows - Organization information step for your to enter your base URL for PingID.

  8. In the Authentication Type window:

    1. Select when you want to apply PingID authentication. Choose from:

      • Remote and local login: Users are required to authenticate with PingID when connecting to Windows login locally or remotely.

      • Remote logins: Users connecting to the Windows login machine remotely are required to authenticate with PingID. Users bypass PingID authentication when logging in locally.

      • Local logins: Users connecting to the Windows login machine locally are required to authenticate with PingID. Users bypass PingID authentication when signing on remotely.

    2. (Optional) Select the relevant check box to apply PingID to Local accounts, Microsoft accounts, or both.

      • Local accounts: User accounts that are stored on the local machine.

      • Microsoft accounts: Microsoft account used to access Microsoft devices and services associated with a specific user. For example, johndoe@outlook.com. The PingID integration for Windows recognizes all types of Microsoft accounts.

      Authentication type window showing options for when to apply PingID authentication, and checkbox options to apply PingID authentication to local and Microsoft accounts, in addition to domain accounts.

    3. Click Next. The Manual Authentication Methods window is displayed.

    A screen capture of the Setup - PingID for Windows process - Manual Authentication Methods step for selecting which methods are allowed.

  9. If PingID server is unavailable or the user is offline, for example, the connection with the PingID server can’t be verified at the time of sign on, either enable or disable manual authentication:

    Choose from:

    • Enable manual authentication:

      1. In the Manual Authentication Methods window, select at least one manual authentication method and then click Next. The Authentication Type window displays offline authentication options.

      2. In the Authentication Type window, select whether to use PingID offline MFA or allow the user to bypass PingID MFA if the user is offline, such as no internet connection. Select one of the following and then click Next:

        • Yes: The user is prompted to authenticate through the manual (offline) authentication flow. At least one offline authentication method must be paired for the user to authenticate, otherwise the user is blocked.

        • No: If the user does not have at least one offline authentication method paired with their account, PingID bypasses MFA during sign on.

    A screen capture of the Setup - PingID for Windows process - Authentication Type step for setting whether PingID manual authentication using mobile app or security key while offline is required. Yes is selected.

    • Disable manual authentication and define behavior when the PingID server is offline:

      1. In the Manual Authentication Methods window, leave all check boxes cleared and click Next. The Offline Authentication page displays a list of options when the user is offline.

      2. In the Authentication Type window, select one of the following, and then click Next:

        • Block: The user cannot sign on while offline.

        • Bypass: Bypass MFA with PingID, allowing user to complete sign on.

          A screen capture of the Setup - PingID for Windows process - Authentication Type step for selecting which action will be taken when manual authentication is disabled.

          • The PingID offline MFA feature is available from PingID integration for Windows login 2.0 or later, with a paired mobile device using PingID mobile app 1.8+.

          • Pairing and use of a security key for offline authentication requires PingID integration for Windows login 2.3 or later. If using PingID integration for Windows login 2.2 or earlier, security key for offline authentication is not permitted, and the flow is different.

  10. In the PingID Username Mapping window:

    1. In the Legacy username parsing convention field:

      • Specify your organization’s default domain. Domain format should be:

        • @domainname, such as @somewhere.com.

        • Maximum of 50 characters.

        • The string entered in this field is appended to the username during sign on.

          If specified, users can enter their username, such as jsmith, rather than entering full user and domain name, as in jsmith@pingidentity.com.

          • If you select this option without providing a default domain, the SAMAccountName is used.

          • This option is not recommended in environments with multiple domains, or environments where PingID is also used to sign on locally.

      • (Optional) Select Allow Multiple Domains to allow the user to sign on from any domain in addition to the default domain. If the user specifies a domain, that domain is used, otherwise the default domain is used. This option is available with PingID for Windows login 2.2 and higher.

        • Do not use this option if you did not specify a default domain in the Legacy username parsing convention field.

        • If you selected Allow Multiple Domains, users should use only the UserPrincipalName format (and not the samAccountName).

        • If you applied PingID authentication to local or Microsoft accounts, the recommended username mapping is objectSID.

    2. In the Specific username mapping field, select the attribute that you want to use to verify the user account.

      A screen capture of the PingID username mapping window showing legacy username parsing convention option, and the option to specify a username mapping attribute from a list.

      Examples showing how the username is mapped in PingID:

      • UPN: Use the userPrincipalName.

        jsmith@domain.com

      • SAM: Use the Domain Name as prefix, or the computer name when logged in locally, and then the SAMAccountName.

        DOMAIN\jsmith

      • SID: Use the object SID.

        S-1-5-21-668608636-2615149724-2645577550-1111

        For security reasons, when using Windows login in a multiple domain environment, it is recommended to use this configuration, rather than the legacy username parsing convention.

    3. Click Next.

      A screen capture of the Setup - PingID for Windows process - Organization Domain (optional) step for entering your organization’s domain to only require username at login and the field to enter the domain.

  11. In version 2.8 of the Windows login integration, an improved implementation was introduced for the use of security keys while offline. If the installation program detects security keys that were paired prior to this change, you are presented with the following options:

    • Allow: Allow users to continue using these keys (this option is not recommended)

    • Inform: Allow users to continue using these keys, but inform them that these keys should be manually deleted

    • Delete: Automatically delete the keys that were paired before the change was introduced

  12. To select the folder in which to install PingID, click Browse, select the destination folder or accept the default, and click Next.

  13. Click Install.

  14. When the installation is complete, click Yes to restart the computer and apply the changes.

    A screen capture of the Completing the PingID for Windows Setup Wizard step.

    The next time the user signs on to the Windows machine, they will need to authenticate with PingID.

  15. Delete the downloaded pingid.properties file after the installation has completed.

    The OrgData1, OrgData2, …​ fields in the HKEY_LOCAL_MACHINE\SOFTWARE\Ping Identity\PingId\PingIdCredProv registry are encrypted and should not be edited.

  16. To verify the installation was successful, test that the user can sign on to the Windows machine using their password and PingID MFA.