The PingID Windows login - passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will be signing on. This requires that you create an issuance certificate in PingOne and then publish the certificate.

  1. Create an issuance certificate in PingOne.

    See Adding a certificate and key pair in the PingOne documentation.

  2. Publish the issuance (CA) certificate to Active Directory (AD):
    certutil -dspublish -f <CA certificate filename> NTAuthCA
  3. To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list:
    certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain name>"
  4. Import the CA certificate in the Group Policy Management Console (GPMC) to publish the CA certificate to end users' computers:
    1. Open the Group Policy Management Console (GPMC).
    2. Locate the relevant domain.
    3. Locate the group policy that you'll be using.
    4. In the Public Key Policies section, select Trusted Root Certification Authorities and import the CA certificate.