PingID Administration Guide

Troubleshoot the PingID integration for Windows login

The following sections describe common issues that administrators or end users might encounter and their solutions.

Installation completed successfully, but users are unable to access the Windows machine using PingID MFA

An open admin session is required to investigate or recover from this scenario.
If an admin session is open

  • Analyze the registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Ping Identity\PingId\PingIdCredProv to verify that the correct settings have been defined. For more information, see the parameter table in the topic Installing the PingID integration for Windows login using CLI.

    The three OrgData fields are encrypted and should not be edited.

If your organization uses PingID’s Europe or Australia & New Zealand data centers verify that the correct URL entry is listed for their data center’s authenticator address.

  • Analyze the installation log file and confirm that the parameter values entered are correct. If necessary, forward the log file to PingID support.

    The installation log file is located in the admin installation user’s TEMP directory, unless the CLI option /LOG was used to create it in a different location.

  • Optionally, change registry settings temporarily to suspend PingID MFA for local or remote users.

  • Optionally, uninstall PingID from the machine and attempt the installation again. Then, check the results.

    If there are no open admin sessions, check if one of the following options can be used to open an admin session and then continue with the previous steps ("If an admin session is open").

  • If the installation was configured for PingID authentication for remote logins only, then sign on locally as administrator to bypass PingID authentication.

  • If the installation was configured for PingID authentication for local logins only, then sign on remotely as administrator to bypass PingID authentication.

  • If the installation was configured to bypass PingID authentication when there is no Internet connection available at the time of sign on, then disconnect the machine from the network to permit signing on.

  • If none of the above scenarios permit you to open an admin session, restart the machine in Windows Safe Mode and sign on as an administrator.

If the installation was completed but the machine was not restarted yet, a restart might be required.

Admin console: Users by Service has duplicate entries for the same user

Go to Users → Users by Service. In the Users by Service section, there appear to be duplicate rows for some users.

This is the result of different values for the username of the PingID account compared with the username value in the Windows Security Account Manager (SAM). For example, an existing user of other PingID services, johndoe, starts to use PingID integration for Windows login to access a Windows server, where his username is johndoe@somewhere.com. Although this is the same user, PingID regards him as two different users, resulting in two entries in the Users by Service table.

Files not removed when installation was canceled

There can be scenarios where files were not removed after the installation has been canceled. These situations depend on the state of progress the installation reached at the time that it was canceled, and they are more prevalent when the CLI is used and interrupted in the middle of the installation.

To remove the files, you should first attempt to uninstall the PingID integration for Windows login according to the uninstall instructions page. For more information, see Uninstall the PingID integration for Windows login.

If the uninstall procedure does not succeed, go to the installation directory, default C:\Program Files\Ping Identity\PingID\WindowsLogin, or other destination if the default was changed during installation, and manually remove the files.

Installation fails on message "Can’t establish a PingID connection. Verify your configuration and Internet connection."

A screen capture of the error message

This error message indicates that the Windows machine being configured for PingID integration with Windows login is unable to connect to the PingID server. Check the following when troubleshooting:

  • The Windows machine must have a working Internet connection.

  • Verify that the authenticator URL matches the entry in your organization’s pingid.properties file.

  • If a proxy address and credentials are required, verify the values entered.

For further details, see Installing the PingID integration for Windows login.