The move to true passwordless login involves leveraging Kerberos in a way that completely removes the need for users to enter or remember passwords. Instead, alternative factors like NFC, security keys, or time based one time passwords are used. These methods are not only more secure but also provide a more convenient user experience.
In a Windows environment, integrating Kerberos for Passwordless Login involves configuring the Windows server and client systems to support Kerberos-based authentication methods. These methods use certificates to authenticate the user instead of a traditional password.
To enable Passwordless Windows Login through Kerberos, it’s necessary to have a Login Certificate issued by the domain’s Certification Authority (CA). Simplifying the process, Microsoft’s CA offers fundamental smart card certificate templates, which serve as a starting point for creating the specific Passwordless Login Certificate Template.
The initial step involves duplicating and configuring these templates. This guide will demonstrate how to establish a Passwordless Login Certificate Template on the server, enabling self-enrollment for the Passwordless Login Certificate.
Start by opening the Server Manager, then select ‘Tools’ followed by ‘Certification Authority’.
Expand your server name to reveal Certificate Folders.
Right click the Certificate Templates folder and choose Manage.
A new window opens with a list of templates in the middle pane. Right click the “Smart Card User” template and select “Duplicate Template”. (The Smart Card User template is a general use template that enables computer logon, as well as signing and encryption. If only smart card logon is needed, you can instead select the “Smart Card Logon” template.)
Under the General tab, rename the template to “CodeB Credential Provider Certificate”.
Next, adjust the properties of the new template. Under the Compatibility tab, leave the Windows Server 2003 settings chosen.
Under the Request Handling tab, select Purpose: “Signature and smartcard logon” and also tick the radio box “Prompt the user during enrollment”.
Under the Cryptography tab, change the minimum key size to 2048, select “Requests must use one of the following providers”, and check “CodeB Credential Provider”. This will ensure that the CodeB Credential Provider is used for storing the certificate and keys.
Should the “CodeB Credential Provider” not be in this list you forgot to register CodeB’s Kerberos Connector. You can download it from:
Under the Security tab, be sure the Enroll ability is set for the group or users who will be setting up the Passwordless CodeB Logon Certificate (use the Add button to add groups or individual users).
For the “CodeB Credential Provider” template, under the Subject Name tab, leave the defaults as they are if the intended smart card users have email addresses filled in the field under General Properties of their user accounts. This is found in the Server Manager under Tools->Active Directory Users and Computers. You may need to click on the Users folder although sometimes it is chosen for you already, then right click the user(s) in question and select Properties.
Click OK to save the template. Close that window.
The Certificates Template folder contains all the templates assigned to the CA. Some templates are assigned to the CA by default, the new template needs to be issued to be added to the Certification Authority templates. Right click the Certificate Templates folder, choose New, then Certificate Template to Issue.
Choose the template you just created and click Ok. Click the Certificate Templates folder to check that the new certificate template is now visible in that folder.
You are now ready to have users self-enroll their Passwordless Logon Certificates. See the video below to see how it works.