Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SafeNet Agent for Windows Logon

Passwordless Windows Logon

search

Passwordless Windows Logon

The Passwordless Windows Logon feature is MFA based on X.509 (PKI) standards, but, without the inherent complexities of a typical PKI solution. Achieving enterprise-wide passwordless authentication is a journey and Passwordless Windows Logon is the first step in that direction. It helps enterprises in:

  • Reducing operational expenses due to minimized help desk calls for password resets.

  • Providing superlative end-user experience to their employee, thereby improving their overall productivity.

  • Onboarding the enterprise-wide passwordless and modern authentication journey.

alt_text Figure: Passwordless Windows Logon – End-user enrollment

System Requirements

To use the Passwordless Windows Logon feature, the following requirements must be met:

Client-side requirements

Communication Protocols HTTPS (TLS1.2 and above)
Operating Systems

  • Windows 10

  • Windows 11

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

NOTE: The Windows machines must be enabled with TPM 2.0.
Supported Authentication Tokens All STA OTP-based authenticators currently supported by SafeNet Trusted Access (STA). For example, MobilePASS+, GrIDsure, and Hardware tokens.

Server-side requirements

Communication Protocols HTTPS (TLS 1.2 and above)
Software Prerequisites

  • Microsoft Active Directory Certification Services (AD CS) must be configured with a valid Root CA on the same domain network.

  • Microsoft IIS 10, to host SafeNet SCEP Adaptor for secured management of certificate signing requests.

  • The following IIS components must be installed and enabled:
    > IIS 6 Management Compatibility Role Service (and its sub-components)
    > ISAPI filter role

For passwordless enrollment, both the client-side and server-side components must be in the corporate network.

Limitations

Following are the limitations of the passwordless solution in this release:

  • Maximum number of users supported on a shared machine is limited to eight.

  • App Sharing is not supported.

Passwordless Windows Logon Setup

The following steps depict the flow of actions to be performed by the customer-side administrator to configure Passwordless Windows Logon:

Step 1: Simple Certificate Enrollment Protocol (SCEP) Service setup:

  1. Active Directory Certificate Services (ADCS) Configuration: Install and configure Certification Authority Web Enrollment and Network Device Enrollment Service roles on domain joined server.
  2. Create, configure, and issue certificate template for Passwordless Windows Logon on the CA server.

  3. Configure SCEP service.

    The above steps can be performed by executing the automation utility ADCS_SetupForPwdlessDesktopLogon.zip.

Step 2: Add the Windows Logon application in STA (if not already).

Step 3: Download the SafeNet SCEP adaptor installation package and configuration file under Agent Setup.

Step 4: Install SafeNet SCEP adaptor on the NDES server where SCEP service is configured.

Step 5: Enter the SCEP Service URL, Root Certificate Authority Name under Agent Setup > Passwordless authentication settings in STA.

Step 6: Under Download and Deploy, download the SafeNet Agent for Windows Logon installation and configuration files.

Step 7: Enable the Passwordless Logon Policy under STA > Policies.

Step 8: Install the SafeNet Agent for Windows Logon.

Step 9: Enable the SafeNet Agent for Windows Logon from the agent's administrator interface.

For the detailed steps required to be performed for the Passwordless Windows Logon setup, click here.

On this page