Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SafeNet Agent for Windows Logon

Passwordless Windows Logon

search
printsuggest an editpdf paneldownload

Passwordless Windows Logon

The Passwordless Windows Logon feature is MFA based on X.509 (PKI) standards, but, without the inherent complexities of a typical PKI solution. Achieving enterprise-wide passwordless authentication is a journey and Passwordless Windows Logon is the first step in that direction. It helps enterprises in:

  • Reducing operational expenses due to minimized help desk calls for password resets.

  • Providing superlative end-user experience to their employee, thereby improving their overall productivity.

  • Onboarding the enterprise-wide passwordless and modern authentication journey.

alt_text Figure: Passwordless Windows Logon – End-user enrollment

copy link to clipboardSystem Requirements

To use the Passwordless Windows Logon feature, the following requirements must be met:

copy link to clipboardClient-side requirements

Communication Protocols HTTPS (TLS1.2 and above)
Operating Systems

  • Windows 10

  • Windows 11

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

NOTE: The Windows machines must be enabled with TPM 2.0.
Supported Authentication Tokens All STA OTP-based authenticators currently supported by SafeNet Trusted Access (STA). For example, MobilePASS+, GrIDsure, and Hardware tokens.

copy link to clipboardServer-side requirements

Communication Protocols HTTPS (TLS 1.2 and above)
Software Prerequisites

  • Microsoft Active Directory Certification Services (AD CS) must be configured with a valid Root CA on the same domain network.

  • Microsoft IIS 10, to host SafeNet SCEP Adaptor for secured management of certificate signing requests.

  • The following IIS components must be installed and enabled:
    > IIS 6 Management Compatibility Role Service (and its sub-components)
    > ISAPI filter role
note

Note

For passwordless enrollment, both the client-side and server-side components must be in the corporate network.

copy link to clipboardLimitations

Following are the limitations of the passwordless solution in this release:

  • Maximum number of users supported on a shared machine is limited to eight.

  • App Sharing is not supported.

copy link to clipboardPasswordless Windows Logon Setup

The following steps depict the flow of actions to be performed by the customer-side administrator to configure Passwordless Windows Logon:

Step 1: Simple Certificate Enrollment Protocol (SCEP) Service setup:

  1. Active Directory Certificate Services (ADCS) Configuration: Install and configure Certification Authority Web Enrollment and Network Device Enrollment Service roles on domain joined server.
  2. Create, configure, and issue certificate template for Passwordless Windows Logon on the CA server.

  3. Configure SCEP service.

    note

    Note

    The above steps can be performed by executing the automation utility ADCS_SetupForPwdlessDesktopLogon.zip.

Step 2: Add the Windows Logon application in STA (if not already).

Step 3: Download the SafeNet SCEP adaptor installation package and configuration file under Agent Setup.

Step 4: Install SafeNet SCEP adaptor on the NDES server where SCEP service is configured.

Step 5: Enter the SCEP Service URL, Root Certificate Authority Name under Agent Setup > Passwordless authentication settings in STA.

Step 6: Under Download and Deploy, download the SafeNet Agent for Windows Logon installation and configuration files.

Step 7: Enable the Passwordless Logon Policy under STA > Policies.

Step 8: Install the SafeNet Agent for Windows Logon.

Step 9: Enable the SafeNet Agent for Windows Logon from the agent's administrator interface.

For the detailed steps required to be performed for the Passwordless Windows Logon setup, click here.

On this page