Troubleshooting passwordless Windows login
Try these troubleshooting steps if you encounter any issues with passwordless Windows login.
Check the log files
You can review the information that is recorded in the log files and the event information that is displayed in the Audit window in PingOne.
-
You can find detailed activity information regarding Windows Login - Passwordless in the log files that are located in the
/logs
folder below the folder that you specified during installation (default location isC:\Program Files\Ping Identity\PingID\Windows Passwordless\logs
). -
To include a greater level of detail in the log files, carry out the following steps to set the logging level to DEBUG:
-
Open the Registry Editor.
-
Under HKEY_LOCAL_MACHINE\SOFTWARE\Ping Identity\PingId\WindowsPasswordless, add a new key of type Dword32 called LogLevel.
-
Set the value of the new key to 1.
-
After making the change to the registry, restart the PingIDESVC service or restart the computer.
To restore the logging level to INFO, change the value of the key to 0 and restart the PingIDESVC service or the computer.
For some of the log files, there is no mechanism to limit the file size. So it’s best not to leave the logging at DEBUG level for an extended period of time.
-
-
The Audit window in PingOne includes information on events such as certificate creation and user authentication (for more information, see the Audit section in the PingOne help).
Check Windows Event Viewer
View user information related to Windows login passwordless events, including online and offline authentication, failed login attempts, and RDP authentication attempts in Windows Event Viewer.
-
Open Windows Event Viewer.
-
Go to Windows Logs → Application.
Windows login passwordless events are listed in the Source column as
PingID Windows login
.
Check for certificate configuration errors
If you encounter errors related to certificate configuration, carry out the following steps to try to identify the problem:
In the steps below, it is assumed that the installation folder used for the PingID integration is |
-
Open the
.cer
file to check whether the certificate is valid:-
Look in the folder
C:\Program Files\Ping Identity\PingID\Windows Passwordless\Certificates
and find the subfolder that is composed of letters and numbers, such as 19-92-6E-C6-01-A1-40-0E-63-B7-A1-BB-C3-E0-D1-75-85-00-49-4B-53-A2-E7-9F-15-E0-75-AD-20-0C-B4-F0. -
In the subfolder, you’ll see a file called
Certificate.cer
. -
Double-click the
.cer
file and go to the Certification Path tab. You can see the Certificate Status there.
-
-
Assuming the certificate is valid, open a command prompt and navigate to the folder containing the
.cer
file. Run the command:certutil.exe -verify -urlfetch Certificate.cer
If the certificate is OK, the command should exit with the message:
CertUtil: -verify command completed successfully
-
If the
certutil
command ran successfully, enable EventViewer logging for Security-Kerberos and the CAPI2:-
Run Event Viewer.
-
In Event Viewer, select Applications and Services Logs → Microsoft → Windows.
-
Below Windows, find Security-Kerberos, right-click it, and enable logging.
-
Below Windows, find CAPI2, right-click it, and enable logging.
-
-
Try the passwordless log-in again, and then check for errors in Event Viewer. See if there are any Security-Kerberos errors (under Applications and Services Logs → Microsoft → Windows → Security-Kerberos → Operational ) or CAPI2 errors (under Applications and Services Logs → Microsoft → Windows → CAPI2 → Operational ).