--- title: Setting up Windows passwordless login description: You can use Windows login - passwordless so that users can sign on to their Windows computer without a password. component: solution-guides page_id: solution-guides:best_practice_guides:bp_setting_up_windows_passwordless_login canonical_url: https://docs.pingidentity.com/solution-guides/best_practice_guides/bp_setting_up_windows_passwordless_login.html revdate: April 14, 2025 page_aliases: ["best_practice_guides:bp_setting_up_windows_passwordless_login_connect_pid_p1.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_config_id_store.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_create_issuance_cert.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_create_authn_policy.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_windows_app_p1.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_kdc_cert.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_install_on_client.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_powershell.adoc", "best_practice_guides:bp_setting_up_windows_passwordless_login_troubleshooting.adoc"] section_ids: before-you-begin: Before you begin creating-a-pingone-environment-and-connecting-it-to-a-pingid-account: Creating a PingOne environment and connecting it to a PingID account about-this-task: About this task steps: Steps choose-from: Choose from: configuring-identity-store-provisioners: Configuring identity store provisioners about-this-task-2: About this task creating-an-issuance-certificate-in-pingone: Creating an issuance certificate in PingOne about-this-task-3: About this task steps-2: Steps creating-an-authentication-policy-windows-passwordless: Creating an authentication policy (Windows passwordless) steps-3: Steps result: Result: creating-and-configuring-a-passwordless-windows-login-application-in-pingone: Creating and configuring a passwordless Windows login application in PingOne about-this-task-4: About this task steps-4: Steps generating-a-kdc-certificate: Generating a KDC certificate about-this-task-5: About this task steps-5: Steps installing-the-windows-login-passwordless-integration-on-client-computers: Installing the Windows login - passwordless integration on client computers before-you-begin-2: Before you begin about-this-task-6: About this task steps-6: Steps using-the-powershell-script-for-setting-up-windows-login-passwordless: Using the PowerShell script for setting up Windows login - passwordless about-this-task-7: About this task steps-7: Steps troubleshooting-windows-login-passwordless: Troubleshooting Windows login - passwordless --- # Setting up Windows passwordless login You can use Windows login - passwordless so that users can sign on to their Windows computer without a password. ## Before you begin To set up and use the PingID integration for passwordless Windows login, the following system requirements must be met: * Microsoft Active Directory is running on Windows Server 2016 or later * Users' computers must be running Windows 10 (64-bit), and must support TPM 2.0. You must have: * Admin rights for the domain controller * A PingOne account * A PingID account Users must have the PingID mobile app installed on their devices and must have already paired the device. ## Creating a PingOne environment and connecting it to a PingID account ### About this task Create a new environment in PingOne and connect it to an existing PingID account (to allow syncing of the PingID data) or to a newly-created PingID account. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You must create a new PingOne environment even if you have an existing environment because you cannot connect a PingID account to an existing PingOne environment. | ### Steps 1. In the PingOne admin console, click **Add Environment**. 2. Select **Build your own solution**. 3. Hover over the **PingOne SSO** element and click **Select**. 4. Hover over the **PingID** element and click **Select**. 5. Click **Next**. 6. When you are presented with the two options for PingID, you can either: #### Choose from: * Connect to an existing PingID account. After you select this option, enter the credentials that you use for the PingID account. * Create a new PingID account. 7. Click **Next**. 8. Enter a name for the new environment. 9. Select the relevant license. 10. Click **Finish**. ## Configuring identity store provisioners ### About this task To use passwordless Windows login, user attributes must be mapped to attributes in PingOne. If you have been using PingFederate with the PingID connector for user provisioning, you must make the transition to using PingFederate with the PingOne Provisioning connector for user provisioning. You can find more information on using this integration in [Provisioning connector](https://docs.pingidentity.com/integrations/pingone/pingone_integration_kit/pf_p1_ik_provisioning_connector.html) in the PingOne Integration Kit documentation. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When mapping attributes, keep in mind that the `ObjectSID` attribute must be mapped to a unique attribute in PingOne. You can find more information on passing binary attributes in [Passing binary attributes to PingOne](https://docs.pingidentity.com/integrations/pingone/pingone_integration_kit/pf_p1_ik_passing_binary_attributes_to_p1.html) in the PingOne Intergration Kit documentation.. | ## Creating an issuance certificate in PingOne ### About this task The PingID Windows login - passwordless solution uses certificate-based authentication (CBA), so a certificate is required for each user that will be signing on. This requires that you create an issuance certificate in PingOne and then publish the certificate. ### Steps 1. Create an issuance certificate in PingOne. Learn more in [Adding a certificate and key pair](https://docs.pingidentity.com/pingone/settings/p1_addcertificate.html) in the PingOne documentation. 2. Publish the issuance (CA) certificate to Active Directory (AD): ``` certutil -dspublish -f NTAuthCA ``` 3. To verify that the certificate was published, run the following command and make sure that you see the CA certificate in the list: ``` certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=" ``` 4. Import the CA certificate in the Group Policy Management Console (GPMC) to publish the CA certificate to end users' computers: 1. Open the Group Policy Management Console (GPMC). 2. Locate the relevant domain. 3. Locate the group policy that you'll be using. 4. In the **Public Key Policies** section, select **Trusted Root Certification Authorities** and import the CA certificate. ## Creating an authentication policy (Windows passwordless) ### Steps 1. In the PingOne admin console, open the environment you are using for Windows login - passwordless. 2. Click the **Identities** icon. 3. Click **Attributes**. 4. In the list of attributes, locate the PingOne attribute that you mapped to `ObjectSID`. 5. Click the **Pencil** ([icon: pencil, set=fa]) icon to edit the attribute properties. 6. Select the **Enforce Unique Values**checkbox. Confirm the choice if prompted to do so. 7. Click **Save**. 8. Click the **Experiences** icon. 9. Click **Authentication Policies**. 10. Click **Add Policy**. #### Result: The policy definition page opens. 11. Enter a name for the policy. 12. For **Step Type**, select **Windows Login Passwordless**. 13. In the **Match Attributes** list, select the attribute that you mapped to `ObjectSID`. | | | | - | ---------------------------------------------------------------------------------------------------------------------- | | | This list includes any attributes that you have specified as unique by selecting the **Enforce Unique Values** option. | 14. **Optional:** Select the **Offline Mode** option if you want to allow users to sign on when PingOne or PingID are not available. 15. Click **Save**. ## Creating and configuring a passwordless Windows login application in PingOne ### About this task After creating the authentication policy, you can now create the application for passwordless Windows login: ### Steps 1. Go to the PingOne admin console and open the environment that you are using for Windows login - passwordless. 2. Click the **Connections** icon. 3. Click **Applications**. 4. Click the **[icon: plus, set=fa]**icon to add a new application. 5. For the **Application Type**, select **Native App**. 6. Click **Configure**. 7. Enter a name and description for the application. **Click Next**. 8. Enter the redirect URL, `winlogin.pingone.com://callbackauth`, and then click **Save and Continue**. | | | | - | --------------------------------------------------------------------------- | | | You can skip the **Grant Resource Access** and **Attribute Mapping** steps. | 9. In the **Certificated Based Authentication** section, click the **Enabled** toggle. ![Screen capture of the Certificate Based Authentication section. The Enable toggle is selected.](_images/wut1662490785475.png) 10. Select an existing issuance certificate. 11. Go to the application's **Policies** tab and drag the passwordless policy that you created from the **All Policies** list to the **Applied Policies** list. ![Screen capture of the Policies tab. Applied Policy has passwordless\_policy added to it](_images/mlk1662490521899.png) ## Generating a KDC certificate ### About this task If there is not yet a certificate for the KDC server that you will be using, you will need to generate one. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The KDC certificate is used as part of the Kerberos PKINIT mutual authentication mechanism. If you already have a KDC certificate installed on your Active Directory Domain Controllers, you don't need to perform this task | ### Steps 1. Create an `.inf` file containing the following information: ``` [newrequest] subject = "CN=" KeyLength = 2048 MachineKeySet = TRUE Exportable = FALSE RequestType = PKCS10 SuppressDefaults = TRUE [Extensions] ;Note 2.5.29.17 is the OID for a SAN extension. 2.5.29.17 = "{text}" continue = "dns=" ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | For more information on the contents of `.inf` files for the `certreq` command, see [Certreq](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1) in the Microsoft documentation. | 2. Generate a certificate signing request from your KDC server by running `certreq -new '' 'kdc.req'`. 3. In the PingOne admin console, open the application that you created for passwordless Windows login. 4. Click the **Configuration** tab of the application. 5. Scroll down to the **Certificate Based Authentication** section. ![Screen capture of the Certificate Based Authentication section](_images/tqi1662489533655.png) 6. For the KDC certificate signing request that you created previously with the `certreq` command: 1. Set the number of days until the certificate should expire. 2. Click **Upload request** and **Issue Certificate** to have the certificate issued. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------- | | | The KDC certificate does not have to be signed by the issuance certificate that you created with PingOne. Any valid certification path will work. | 7. Install the KDC certificate on your server: ``` certreq -accept -machine -f ``` ## Installing the Windows login - passwordless integration on client computers ### Before you begin * To use the Windows login - passwordless feature, users' computers must be running Windows 10 and must support TPM 2.0. * The first time that a user carries out passwordless Windows login, they must be online and connected to the organizational network because certificate enrollment requires a connection to Active Directory. Afterward, there is no need for a connection to the network, and authentication can be carried out online or offline for as long as the certificate is valid. ### About this task To install the integration for Windows login - passwordless on your users' computers using the UI-based method: ### Steps 1. Run the provided executable, and when the welcome page is displayed, click **Next**. ![Screen capture of the Setup -Windows Login - Passwordless window that opens after you run the executable](_images/czx1662487688997.png) 2. Accept the license agreement and click **Next**. ![Screen capture of the EULA page with I accept the agreement selected](_images/arp1662487791403.png) 3. The settings that must be entered on the **Passwordless Sign-on Settings** page should be copied from the **Configuration** tab of the application that you created for Windows login - passwordless in PingOne. If your organization uses a proxy, click **Configure Proxy**. Otherwise, click **Next**. ![Screen capture of the Windows login - passwordless Password Sign-on Settngs page](_images/zza1662488031520.png) 4. If you clicked **Configure Proxy** in the previous step, enter the proxy information, click **Apply**, and when you are returned to the **Passwordless Sign-on Settings** page, click **Next**. ![Screen capture of the Windows login - passwordsless Proxy Configuration page](_images/fbd1662488173862.png) 5. When the **Ready to Install** page is open, click **Install** to start the installation. ![Screen capture of the Windows login - passwordless Ready to Install page](_images/osk1662487534585.png) ## Using the PowerShell script for setting up Windows login - passwordless ### About this task You can use the `Configure-Passwordless.ps1` PowerShell script to quickly perform the steps required to set up Windows login - passwordless. | | | | - | ------------------------------------------------------------------------------------------------------------ | | | Only use this for purposes such as informal testing or demonstrations. Do not use for a production instance. | ### Steps * Run `Configure-Passwordless.ps1`. The script carries out the following steps: * Creates and installs the CA certificate, also to the group policy * Sets `externalId` to be a unique attribute * Creates the authentication policy * Creates and configures the passwordless Windows login application * Creates a KDC certificate: request creation, issuing of certificate from request, installation of certificate You can download the script from [GitHub](https://github.com/pingidentity/pingid-windows-passwordless-configuration-script). ## Troubleshooting Windows login - passwordless If you encounter any issues with Windows login - passwordless, review the information that is recorded in the log files and the event information that is displayed in the **Audit** window in PingOne. You can find detailed activity information regarding Windows login - passwordless in the log files that are located in the `logs` folder under the folder that you specified during installation (the default location is `C:\Program Files\Ping Identity\PingID\Windows Passwordless\logs`). To include a greater level of detail in the log files, contact customer support for instructions on how to set the logging level to **Debug**. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For some of the log files, there is no mechanism to limit the file size. You shouldn't leave the logging at **Debug** level for an extended period of time. | The **Audit** window in PingOne includes information on events, such as certificate creation and user authentication. You can find more information in [Audit section](https://docs.pingidentity.com/pingone/monitoring/p1_reporting.html) in the PingOne documentation.