Introduction
This guide provides information on how to set up passwordless Windows Desktop Login (WDL) for On-Prem Active Directory domain joined devices. It covers:
- Installation & configuration of the Beyond Identity Domain Connector on the Active Directory Domain Controller for key synchronization.
- Setting up the Active Directory to use Key Trust based authentication for Beyond Identity Credentials Provider.
- Installation and configuration of the Beyond Identity Desktop Login Authenticator app.
Prerequisites
Beyond Identity Web SSO:
- The Beyond Identity Web SSO must be already configured and working.
- You must have super admin privileges to the Beyond Identity Admin Console.
Active Directory Side:
- You must have Enterprise Admin privileges on your AD Domain Controller(s).
- AD Domain Controller(s) must be running on Windows Server 2016 or later version (AD Schema Version: Windows Server 2016 or later schema).
- The minimum required domain functional and forest functional levels for deployment is Windows Server 2008 R2. (Server Manager > Domains and Trust > Right-Click on the Root Domain > Properties)
-
AD Domain Controller must have following components:
- Active Directory Domain Services
- Active Directory Certificate Services (Required for Server Certificate issuance and publishing 3rd party CA issued certificates)
- Kerberos Domain Controller (KDC) certificate must be deployed on the AD Domain Controller(s)
- DNS Services must be running.
- If you are using a non-Microsoft SSO and have already configured your SSO with your Active Directory:
-
The service account used by the SSO AD Agent must be a member of the following groups:
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
- If SSO AD Agent is not available or if you are using Microsoft SSO, we will install Beyond Identity Domain Connector as part of the WDL installation. You can install it on the AD Domain Controller itself or any domain joined server running Windows 2016 or later.
- You must have the ability to create and push GPO policies. If your GPO replication takes a long time, then you can execute steps outlined in section 3 and 4.1 and ensure that correct GPO policies are applied, ahead of time, so we can proceed with the installation and testing without waiting for it.
Client Side:
- You need to have physical access or a console session to the machine to enroll and use WDL. Enrollment or using WDL over an RDP session is not supported.
- Device must have joined the AD domain.
- Device must be running Windows 10 (Build 1703 or later) or Windows 11 (Must be a Pro or Enterprise License).
- Device must have Trusted Platform Module (TPM) 2.0 installed.
- Device must have Root & Intermediate certificates for Domain Controller deployed.
- Device may have a built-in or pluggable fingerprint reader (Optional).
- Device must have Beyond Identity Authenticator app installed and enrolled in the Beyond Identity Web SSO. We will replace the app with the Beyond Identity Desktop Login Authenticator App.
Beyond Identity Domain Connector Installation & Configuration
The steps from this section are NOT required if the SSO AD Agent is deployed in your environment. In that case, skip to the next section.
-
Create (or use an existing) service account (e. g. biservice) and make it a member of the following groups:
- Domain Users
- Key Admin
- Enterprise Key Admin
- Administrators
- On the server where the Domain Connector is installed, ensure that the service account used has sufficient privileges to install system services.
- Run gpedit.msc
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- In the details pane, double-click on “Log on as a service”.
- Click on “Add User or Group” and add the service account to the list of accounts. Once you have selected the user, click “OK”.
- Click “OK” and close the policy editor.
-
Login to Beyond Identity Admin Console and click on Integrations from the menu.
- On the Settings page, Desktop Login Tab.
- On the “Beyond Identity AD Connector” item click on the arrow to “Install this service”.
- Click on “Generate Key” and record the newly generated key for use in the next step.
- Download the Beyond Identity Domain Connector on a domain joined server from here.
-
Install the Beyond Identity Domain connector and enter the below values:
- Access Key: <Use Key generated in a previous step>
- Domain: Comma separated domain values (e. g. beyondadfs.com)
- Username: service account name used to run the Beyond Identity Service (e. g. biservice@beyondadfs.com)
- Password: <Service-Account-Password>
- Once the installation is complete, make sure the service “Beyond Identity Domain Connector” is running.
Beyond Identity Admin Console Configuration
- Login to the Beyond Identity Admin Console.
- Click on the Integrations tab and then click on the “OKTA” tab.
- Click on the edit option for “Okta Desktop Login”.
AD Server-Side Config
Create a Group for Desktop Login
In the following steps, we will create a group and assign users to participate in Beyond Identity desktop login service.
- Sign into AD DC as Domain Administrator.
- Launch “Server Manager” management console.
- Click on “Tools” and then on the pull-down menu, click on “Active Directory Users and Computers”.
- Right click on “Users” > “New” > “Group”, create a group named “Beyond Identity Users”.
- Then add appropriate users to this group.
GPO Configuration to Enable Biometrics
In the following steps, we will create a new custom policy for the computers / devices participating in Beyond Identity Desktop Login Service. We will assign this to “Beyond Identity Users” group.
- Sign into AD DC as Domain Administrator.
- Launch “Server Manager” management console.
- Click on “Tools” and then on the pull-down menu, click on “Group Policy Management”.
- Double-click on “Domains”, then right-click on the appropriate AD domain name and click “Create a GPO in this domain and Link it here…”.
- Enter the Name as “Beyond Identity GPO”, then click “OK”.
- From the left navigation menu, right-click on “Beyond Identity GPO” and click “Edit”.
-
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Component > Biometrics section, and enable the following policies:
- “Allow the use of biometrics”
- “Allow users to log on using biometrics”
- “Allow domain users to log on using biometrics”.
-
Navigate to Computer Configuration > Policy > Administrative Templates > Windows Component > Windows Hello for Business section, and enable the following policy:
- “Use Biometrics”
-
Navigate to Computer Configuration > Policy > Administrative Templates > System > Logon, and enable the following policy:
- “Turn On Convenience PIN Sign in”
-
Follow the steps below to apply the GPO Policy to “Beyond Identity Users” Group:
- Under Group Policy Management, navigate to Group Policy Objects.
- Double-click on “Beyond Identity GPO”.
- Click on the “Scope” tab.
- Under Security Filtering, Add the “Beyond Identity Users” group.
- Click to the “Delegation” tab, then click on “Advanced”.
- Click on “Authenticated Users” group and click on “Allow” permissions for “Read”.
- Click on “Beyond Identity Users” group and click on “Allow” permissions for “Read”, “Create all child objects”, “Delete all child objects” “Apply group policy” and click “Apply”.
- Under Group Policy Management, double-click on your primary domain and click on the “Linked Group Objects” tab.
- Make sure the newly created “Beyond Identity GPO” has the link order 1.
Client-side Config
Apply the GPO Policy
- On a Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Apply the GPO by running the gpupdate /force command via the Windows PowerShell in Admin mode or simply rebooting your machine.
- Verify whether the GPO is applied by issuing the gpresult /r /v command via Windows PowerShell in Administrator mode.
Install Beyond Identity Desktop Login
- On a Domain joined Windows device, make sure you are logged in as a domain user and have administrator rights for the local machine.
- Using a browser go to https://app.byndid.com/desktop-login/downloads and download MSI labeled “Desktop Login for Windows”.
- Ensure “Beyond Identity Service” service is running on the client before moving to the next step.
User Enrollment Process
-
Run the below command in windows command prompt or powershell and make sure the following parameters match.
-
dsregcmd /status
- Device State
-
dsregcmd /status
- AzureAdJoined: NO
- DomainJoined: YES
- EnterpriseJoined: NO
- Device Details
- TpmProtected: YES
- DeviceAuthStatus: SUCCESS
- SSO State
- AzureAdPrt: NO
- Open the Beyond Identity Authenticator app.
- Select the Profile already enrolled in Web SSO and click on “Enroll in desktop login”.
- Enter your domain password to start enrolling in Beyond Identity’s Windows Desktop Login service.
- Create a PIN that will be used for passwordless login. Minimum length is 8 characters. Hit ENTER once you have entered the PIN.
- Confirm the PIN added in the previous step.
- Optionally, enroll fingerprints for biometric login and then click “Finish Setup”.
- Wait until a confirmation dialog displays. You are now enrolled in Windows Desktop Login.
User Login Process
- Log out or lock local screen.
- Choose the Beyond Identity login option.
- When prompted, use a fingerprint or enter a PIN to complete login.
Comments
0 comments
Please sign in to leave a comment.