View Source

Install AD Certificate Service

To implement passwordless authentication using certificates, you will need the Active Directory Certificate Service.

Install Active Directory Certificate Service in the Domain Controller.
DualShield MFA Platform > Passwordless Authentication in Computer Logon using Certificate > worddav4d9f76104c6556371b18cd40ef1404b2.png

After installation, configure the Certificate Authority accordingly.

After completing the configuration, open the Microsoft Management Console (MMC) and add the 'Enterprise PKI' snap-in.
DualShield MFA Platform > Passwordless Authentication in Computer Logon using Certificate > worddav80bda855855568e84e26211d6cb7ce92.png

Launch the Enterprise PKI snap-in console

DualShield MFA Platform > Passwordless Authentication in Computer Logon using Certificate > worddav6d8b43e8a5b01a17dedafd98477a9849.png
If you see all of the following 4 certificates and their status is OK, then your domain is ready for DualShield Computer Logon Passwordless Authentication.

CA Certificate
AIA Location #1
CDP Location
DeltaCRL Location #1

Configure Policy Options in DualShield

In the admin console, navigate to the Computer Logon Client Policy and make the following changes:

Enable the option "Enable Passwordless Login".
Set the "Passwordless Certificate Lifetime".
Set the option "Renew Passwordless Certificate N days before it expires"
Leave the option "Certificate Revocation List (CRL) URL" empty.

DualShield MFA Platform > Passwordless Authentication in Computer Logon using Certificate > image-2024-8-29_18-47-47.png

Note: if you have implemented the Device Certificate authentication method, then you must follow the instructions below to set up a new Certificate Revocation List (CRL) URL

User Experience

With the password authentication enabled, users will see the hint 'Passwordless enabled" under the password entry box on the login screen.

Do not enter anything in the password box

Click the continue button to continue

The 2FA/MFA window will be prompted: