To set up Passwordless Authentication in Computer Logon using Certificate, follow the steps below

Install AD Certificate Service

To implement passwordless authentication using certificates, you will need the Active Directory Certificate Service.

Install Active Directory Certificate Service in the Domain Controller.



After installation, configure the Certificate Authority accordingly.

Create a CA Certificate in DualShield

Create or import a CA certificate in the DualShield Certificate Authorities, and bind to the target domain, ie. deepnetpb.com


Import CA Certificate into Domain Controller

Export this CA certificate, and then import it into the Trusted Root Certification Authorities on the Domain Controller

Configure Enterprise PKI

Now, open the Microsoft Management Console (MMC) and add the 'Enterprise PKI' snap-in. 


 Launch the Enterprise PKI snap-in console and right-click on EnterprisePKI and select Manage AD Containers...

Add the new CA that was created.

Click Ok and then click on the CA entry that appears under Enterprise PKI...


If you see all of the following 4 certificates and their status is OK, then your domain is ready for DualShield Computer Logon Passwordless Authentication.

  • CA Certificate
  • AIA Location #1
  • CDP Location
  • DeltaCRL Location #1

Configure Policy Options in DualShield

In the admin console, navigate to the Computer Logon Client Policy and make the following changes:

  • Enable the option "Enable Passwordless Login".
  • Set the "Passwordless Certificate Lifetime".
  • Set the option "Renew Passwordless Certificate N days before it expires"
  • Leave the option "Certificate Revocation List (CRL) URL" empty. 

Note: if you have implemented the Device Certificate authentication method, then you must follow the instructions below to set up a new Certificate Revocation List (CRL) URL 

If you implement Passwordless Authentication in computer logon using certificates, then you need to provide the Certificate Revocation List (CRL) service. By default, DualShield provides the CRL service as a part of the SSO service and publishes it on port 8074.

In some deployments, you might need to publish the CRL service on an alternative port number. For instance, if you have implemented the Device Certificate authentication method in your DualShield system, then you must publish the CRL service on an alternative port number.

To publish the CRL service on an alternative port number, follow the steps below.

Add a new connector 

Open the file "C:\Program Files\Deepnet DualShield\tomcat\conf\server.xml" in a text editor such as Notepad

Find the tag <Service name="SSO">

Copy the first connector, i.e. port=8074

Add a new connector based on the copy

Make sure that in the new connector set clientAuth="false" and set port number to a new port, e.g. 8092

Save the server.xml  file, then restart the DualShield service

Use the new connector 

In the Computer Logon Client policy, enter the URL of the new connector as the Certificate Revocation List

The URL should be provided in the format of "https://your-dualshield-fqdn:8092/sso"



User Experience

With the password authentication enabled, users will see the hint 'Passwordless enabled" under the password entry box on the login screen. 


Do not enter anything in the password box

Click the continue button  to continue

The 2FA/MFA window will be prompted:




  • No labels