Try these troubleshooting steps if you encounter any issues with passwordless Windows login.
Check the log files
You can review the information that is recorded in the log files and the event information that is displayed in the Audit window in PingOne.
- You can find detailed activity information regarding Windows Login - Passwordless in the log files that are located in the /logs folder below the folder that you specified during installation (default location is C:\Program Files\Ping Identity\PingID\Windows Passwordless\logs).
- To include a greater level of detail in the log files, carry out the following
steps to set the logging level to DEBUG:
- Open the Registry Editor.
- Under HKEY_LOCAL_MACHINE\SOFTWARE\Ping Identity\PingId\WindowsPasswordless, add a new key of type Dword32 called LogLevel.
- Set the value of the new key to 1.
- After making the change to the registry, restart the PingIDESVC service or restart the computer.
To restore the logging level to INFO, change the value of the key to 0 and restart the PingIDESVC service or the computer.Note: For some of the log files, there is no mechanism to limit the file size. So it's best not to leave the logging at DEBUG level for an extended period of time.
- The Audit window in PingOne includes information on events such as certificate creation and user authentication (for more information, see the Audit section in the PingOne help).
Check Windows Event Viewer
- Open Windows Event Viewer.
- Go to .
Check for certificate configuration errors
- Open the .cer file to check whether the certificate is
- Look in the folder C:\Program Files\Ping Identity\PingID\Windows Passwordless\Certificates and find the subfolder that is composed of letters and numbers, such as 19-92-6E-C6-01-A1-40-0E-63-B7-A1-BB-C3-E0-D1-75-85-00-49-4B-53-A2-E7-9F-15-E0-75-AD-20-0C-B4-F0.
- In the subfolder, you'll see a file called Certificate.cer.
- Double-click the .cer file and go to the Certification Path tab. You can see the Certificate Status there.
- Assuming the certificate is valid, open a command prompt and navigate to the
folder containing the .cer file. Run the command:
If the certificate is OK, the command should exit with the message:
certutil.exe -verify -urlfetch Certificate.cer
CertUtil: -verify command completed successfully
- If the
certutilcommand ran successfully, enable EventViewer logging for Security-Kerberos and the CAPI2:
- Run Event Viewer.
- In Event Viewer, select .
- Below Windows, find Security-Kerberos, right-click it, and enable logging.
- Below Windows, find CAPI2, right-click it, and enable logging.
- Try the passwordless log-in again, and then check for errors in Event Viewer. See if there are any Security-Kerberos errors (under ) or CAPI2 errors (under ).