Background concepts for the PingID for Windows Login - Passwordless integration

Active Directory: A directory service for Windows domain networks. The centralized directory that manages the domain-joined clients that are integrated using PingID with passwordless Windows login.

Domain controller (DC): Required to manage the security and identity requests in a Windows domain and hosts the Key Distribution Center (KDC). It runs the Active Directory Domain Services (AD DS) role.

Active Directory Domain Services (AD DS): Provides the fundamental structure for user and group management and domain integrity. It issues the KDC certificates that are crucial for the Kerberos authentication process in the passwordless login flow.

Group Policy Management Console and Group Policy Objects (GPO): The GPO is the method used to push out and install the PingID integration software onto client machines using the provided Microsoft Installer (MSI). It also pushes out configuration settings that PingID needs to function properly on managed, domain-joined clients.

Windows credential providers: The specific framework PingID hooks into to override standard credential prompts with a custom passwordless interface. It orchestrates a handshake between the local Windows session, the Active Directory identity, and the PingID Cloud account to validate the user’s identity.

Networking and connectivity: Facilitation of authorized traffic between clients, domain controllers, and PingOne cloud requires well-configured DNS and firewall rules to resolve properly.

DNS: Maps human-readable domain names to IP addresses. Having DNS configured correctly ensures that clients can resolve the needed services and endpoints for authentication.

Firewall: Monitors and controls incoming and outgoing network traffic based on configured security rules. Because firewalls can block or inspect HTTPS traffic, their configuration is a common source of connectivity issues. For the Windows Login – Passwordless integration, ensure the firewall allows outbound HTTPS connections to the required PingID endpoints.

Trusted Platform Module (TPM): A hardware-based security component that provides secure storage for cryptographic keys. In a passwordless context, the TPM acts as the secure storage for the private keys used in FIDO2 and WebAuthn flows, ensuring no process can export or tamper with them.

Remote Desktop Protocol (RDP): You can configure Windows Login (passwordless) for use with RDP.

Certificates: The integration relies on certificate-based authentication to sign the user on without a passcode.

Public Key Infrastructure (PKI): Background in trust chains and digital certificates to help in creating specific certificates for authentication. In PKI-reliant systems, certificate errors often are the reason for deployment failure. Administrators must ensure the validity of the entire trust chain. The integration relies on KDC certificates issued by an internal CA and issuance certificates managed within PingOne. If there are issues with the certificates, the authentication process will fail, so understanding PKI concepts is crucial for troubleshooting.

Certificate Authority (CA): An internal CA, like AD CS, is necessary to issue the KDC certificate.

Key Distribution Center (KDC) certificates: Issued by an internal certificate authority like AD CS for Active Directory, they’re used in the Kerberos authentication process.

Issuance certificates: Managed within PingOne, they are used to establish trust between the on-premise environment and the PingID cloud services.

Kerberos (protocol): The integration relies on the KDC issuing Kerberos tickets. Understanding this is crucial for troubleshooting.

Public Key Cryptography for Initial Authentication (PKINIT) configuration: Allows the use of certificates and public key cryptography in the Kerberos protocol initial authentication exchange.

FIDO2 and WebAuthn: FIDO2 is a set of specifications for passwordless authentication using public key cryptography. It includes the web authentication API (WebAuthn) to perform secure authentication.

WebAuthn.io: A tool you can use to test the WebAuthn protocol.

Audit the PingOne log files: The PingOne log files provide detailed activity information about Windows Login - Passwordless.

Windows Event Viewer: Use the Applications and Services Logs to diagnose issues. Check entries for the PingID Credential Provider to determine why a login attempt failed.

certmgr.msc: The Microsoft Management Console (MMC) snap-in to manage the current user’s certificates. You can use it to verify that root and intermediate CAs are correctly placed in the user’s certificate store. To open it, run certmgr.msc from the Run command or command prompt.

certutil: A command-line utility that you can use for verifying certificate validity and checking revocation status.

PowerShell: Essential for automating environment configuration and bulk management.

SSL Shopper: A tool to visualize and verify the certificate trust chains, ensuring that the server is configured correctly.