Install AD Certificate Service
To implement passwordless authentication using certificates, you will need the Active Directory Certificate Service.Prerequisites
Install Active Directory Certificate Service in the Domain Controller.
After installation, configure the Certificate Authority accordingly.
After completing the configuration, open the Microsoft Management Console (MMC) and include add the 'Enterprise PKI' to verify its configuration. snap-in.
Now,
Launch the Enterprise PKI snap-in console
If you see the "CA Certificate" in the list, then your domain is ready to use for DualShield Computer Logon Passwordless featureAuthentication.Navigate to DualShield –
Configure Policy Options in DualShield
In the admin console, navigate to the Computer Logon Client Policy .and make the following changes:
- Enable the option "Enable Passwordless Login".
- Set the "Passwordless Certificate Lifetime".
- Set the option "Renew Passwordless Certificate N days before it expires"
- Leave
...
- the option "Certificate Revocation List (CRL) URL" empty. it has the default value. (Note: By default, when 'Client Authentication: Device Cert' is enabled, this feature doesn't function as expected. If you wish to accommodate both features, users can manually adjust the settings to utilize a different URL, ie: https://mfa.qa.deepnetid.com:8092/sso)
Now, login windows client, passwordless certificate is created silently at the back. Login and logout, now you
User Experience
With the password authentication enabled, users will see the hint 'Passwordless Enableenabled" under the password text field. entry box on the login screen.
Press Enter to log in directly to Windows, or a second-factor dialog will appear if required.
Note, currently, Computer Logon Passwordless Certificate does not require any activation, it is auto activate.
Do not enter anything in the password box
Click the continue button to continue
The 2FA/MFA window will be prompted: