Versions Compared

Old Version 1

changes.mady.by.user Adam Darwin

Saved on

compared with

New Version Current

changes.mady.by.user Paul Ruvin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To set up Passwordless Authentication in Computer Logon using Certificate, follow the steps below

Table of Contents

Install AD Certificate Service

To implement passwordless authentication using certificates, you will need the Active Directory Certificate Service.Prerequisites

Install Active Directory Certificate Service in the Domain Controller.


Image Modified


After installation, configure the Certificate Authority accordingly.

Create a CA Certificate in DualShield

Create or import a CA certificate in the DualShield Certificate Authorities, and bind to the target domain, ie. deepnetpb.com


Image Added

Import CA Certificate into Domain Controller

Export this CA certificate, and then import it into the Trusted Root Certification Authorities on the Domain Controller

Image Added

Configure Enterprise PKI

Now
After completing the configuration, open the Microsoft Management Console (MMC) and include add the 'Enterprise PKI' to verify its configuration.
Image Removed
Image Removed
Now, snap-in. 


Image Added

 Launch the Enterprise PKI snap-in console and right-click on EnterprisePKI and select Manage AD Containers...

Image Added

Add the new CA that was created.

Image Added

Click Ok and then click on the CA entry that appears under Enterprise PKI...

Image Added


If you see all of the following 4 certificates and their status is OK, then your domain is ready to use for DualShield Computer Logon Passwordless feature.
Navigate to DualShield – Authentication.

  • CA Certificate
  • AIA Location #1
  • CDP Location
  • DeltaCRL Location #1

Configure Policy Options in DualShield

In the admin console, navigate to the Computer Logon Client Policy . and make the following changes:

  • Enable the option "Enable Passwordless Login".
  • Set the "Passwordless Certificate Lifetime".
  • Set the option "Renew Passwordless Certificate N days before it expires"
  • Leave

...

  • the option "Certificate Revocation List (CRL) URL" empty. 

Image Added

Note: if you have implemented the Device Certificate authentication method, then you must follow the instructions below to set up a new Certificate Revocation List (CRL) URL 

Expand

Include Page
Publish CRL service in an alternative port number
Publish CRL service in an alternative port number

User Experience

With the password authentication enabled, users will see the hint 'Passwordless enabled" under the password entry box on the login screen. 


Image Added

Do not enter anything in the password box

Click the continue button Image Added to continue

The 2FA/MFA window will be prompted:


Image Added

...