The PingID Windows Login - Passwordless solution uses Certificate-Based Authentication (CBA), and therefore a certificate is required for each user that will be logging in. This requires that you create an "issuance" certificate in PingOne, and then publish the certificate..
- Create an issuance certificate in PingOne, following the instructions in Adding a certificate and key pair in the PingOne documentation. When creating the certificate, set the Usage Type to Issuance and for the Signature Algorithm select SHA256withRSA.
-
Publish the issuance (CA) certificate to Active Directory:
certutil -dspublish -f
<CA certificate filename>NTAuthCA
-
To verify that the certificate was published, run the following command and
make sure that you see the CA certificate in the list:
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=
<domain name>"
-
Import the CA certificate in the Group Policy Management Console (GPMC) in
order to publish the CA certificate to end users' computers:
- Open the Group Policy Management Console (GPMC).
- Locate the relevant domain.
- Locate the group policy you will be using.
- Under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, select Trusted Root Certification Authorities and import the CA certificate.