PingID Administration Guide

Troubleshooting passwordless Windows login

Try these troubleshooting steps if you encounter any issues with passwordless Windows login.

Check the log files

You can review the information that is recorded in the log files and the event information that is displayed in the Audit window in PingOne.

  • You can find detailed activity information regarding Windows Login - Passwordless in the log files that are located in the /logs folder below the folder that you specified during installation (default location is C:\Program Files\Ping Identity\PingID\Windows Passwordless\logs).

  • To include a greater level of detail in the log files, carry out the following steps to set the logging level to DEBUG:

    1. Open the Registry Editor.

    2. Under HKEY_LOCAL_MACHINE\SOFTWARE\Ping Identity\PingId\WindowsPasswordless, add a new key of type Dword32 called LogLevel.

    3. Set the value of the new key to 1.

    4. After making the change to the registry, restart the PingIDESVC service or restart the computer.

      To restore the logging level to INFO, change the value of the key to 0 and restart the PingIDESVC service or the computer.

      For some of the log files, there is no mechanism to limit the file size. So it’s best not to leave the logging at DEBUG level for an extended period of time.

  • The Audit window in PingOne includes information on events such as certificate creation and user authentication (for more information, see the Audit section in the PingOne help).

Check Windows Event Viewer

View user information related to Windows login passwordless events, including online and offline authentication, failed login attempts, and RDP authentication attempts in Windows Event Viewer.

  1. Open Windows Event Viewer.

  2. Go to Windows Logs → Application.

    Windows Event Viewer showing Windows login passwordless events, and the path required to view them (click the Windows Logs folder, and then the Application folder)

    Windows login passwordless events are listed in the Source column as PingID Windows login.

Check for certificate configuration errors

If you encounter errors related to certificate configuration, carry out the following steps to try to identify the problem:

In the steps below, it is assumed that the installation folder used for the PingID integration is C:\Program Files\Ping Identity\PingID\Windows Passwordless. If your installation folder is different, update the paths accordingly.

  1. Open the .cer file to check whether the certificate is valid:

    1. Look in the folder C:\Program Files\Ping Identity\PingID\Windows Passwordless\Certificates and find the subfolder that is composed of letters and numbers, such as 19-92-6E-C6-01-A1-40-0E-63-B7-A1-BB-C3-E0-D1-75-85-00-49-4B-53-A2-E7-9F-15-E0-75-AD-20-0C-B4-F0.

    2. In the subfolder, you’ll see a file called Certificate.cer.

    3. Double-click the .cer file and go to the Certification Path tab. You can see the Certificate Status there.

  2. Assuming the certificate is valid, open a command prompt and navigate to the folder containing the .cer file. Run the command:

    certutil.exe -verify -urlfetch Certificate.cer

    If the certificate is OK, the command should exit with the message:

    CertUtil: -verify command completed successfully

  3. If the certutil command ran successfully, enable EventViewer logging for Security-Kerberos and the CAPI2:

    1. Run Event Viewer.

    2. In Event Viewer, select Applications and Services Logs → Microsoft → Windows.

    3. Below Windows, find Security-Kerberos, right-click it, and enable logging.

    4. Below Windows, find CAPI2, right-click it, and enable logging.

  4. Try the passwordless log-in again, and then check for errors in Event Viewer. See if there are any Security-Kerberos errors (under Applications and Services Logs → Microsoft → Windows → Security-Kerberos → Operational ) or CAPI2 errors (under Applications and Services Logs → Microsoft → Windows → CAPI2 → Operational ).