Troubleshooting on Windows Passwordless Login
This document contains troubleshooting information about Passwordless Login on Windows.
First, if you have any problem about Passwordless Login on Windows, you need to enable Debug mode from Registry and restart the Monofor Identity Service.
Open Registry (regedit.exe), navigate to the following keys and edit Debug value 0 to 1.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{417C7858-EE65-42AD-9F11-5BA27FB1FF64}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{0DC3BA90-52A8-4CA0-9FA7-3D29B24B8FDE}You need to create a Logs directory in under C:\, it means you need to have a directory on path C:\Logs. Every log file will be created in here.
Now, restart the Monofor Identity Service.
User is trying to scan QR Code but after successful message, user stays in Logon UI
Description
After first install, user might have this issue if user has not signed out completely and sign-in again.
Solution
Sign-out completely and try to sign in again.
User is trying to scan QR Code but after successful message, user stays in Logon UI
Description
Monofor Identity uses TPM module on the machine. If virtual smart card has been broken in somehow, user can’t use this feature.
Solution
You need to remove smart card lines from the Windows\System32\monofor-identity-security.ini file and Uninstall / Install again.
First you need to uninstall the TPM virtual smartcard. For that, open command line and type following command.
monofor-tpm-service uninstallGo to the monofor-identity-security.ini remove following lines sdinstance=ROOT\SMARTCARDREADER\0000 andsdinitialized=true;
[Settings]
deviceState=unlocked
userName=MONA
sessionId=9017004F-6049-4854-8522-CDD34853A0CB
userDeviceId=BAACC59F-7168-461D-B036-4FD19A358744
sdinstance=ROOT\SMARTCARDREADER\0000
sdinitialized=true
[MONA]
recoveryCodes=USER-RECOVERY-CODES
UPN=mona@monodc.localFinal result should be like following;
[Settings]
deviceState=unlocked
userName=MONA
sessionId=9017004F-6049-4854-8522-CDD34853A0CB
userDeviceId=BAACC59F-7168-461D-B036-4FD19A358744
[MONA]
recoveryCodes=USER-RECOVERY-CODES
UPN=mona@monodc.localThis will completely destroy virtual smart card on Windows and allow you to create a new one. Run the following commands on Powershell or cmd, type the following command and execute.
TpmVscMgr destroy /instance root\smartcardreader\0000
monofor-tpm-service installYou need to see the successful message (Output - Do not run the following messages).
PS C:\Users\Administrator> TpmVscMgr destroy /instance root\smartcardreader\0000
Destroying TPM Smart Card...
Initializing the Virtual Smart Card Reader...
Destroying the Virtual Smart Card Reader...
Initializing the Virtual Smart Card Simulator...
Destroying the Virtual Smart Card Simulator...
Initializing the Virtual Smart Card component...
Destroying the Virtual Smart Card component...
TPM Smart Card destroyed.
PS C:\Users\Administrator> monofor-tpm-service install
TPM Installed Successfully
PS C:\Users\Administrator>User is trying to Scan QR Code and getting “The user name or password is incorrect.”
Description
When user try to Scan QR Code, user is getting “Success” message in Monofor Identity app but getting “The user name or password is incorrect.” on Windows Logon UI.
Windows Logon UI
Solution
Please follow the this solution.
I need to check that Certificate Enrollment is OK or not
Description
Sometimes we could need check that certification process is working fine or not.
Solution
On the client machine, go to the Manage User Certificates. (certmgr.msc)
Under Personal, Certificates, you can right-click, All Tasks and Request New Certificate.
Click Next, and Next again. If everything works properly, you need to see both Monofor Identity - Enrollment and Monofor Identity - Client certificates on the list.
Monofor Identity - Enrollment certificate is our Enrollment Certificate for Passwordless login processes. Select and click Enroll. If you have the following error message, it means your computer unable to talk with AD CS (Active Directory Certificate Authority). You can restart the client machine to solve the problem. If it didn’t fix again, try to restart ADCS on domain controller, or try to restart AD machine.
After you have successfully enrolled the certificate, you will see the following UI. You can click Finish.
Requesting Certificate on Behalf
Description
If Enrollment certificate OK and Enrollment process is OK, and you are not still able to login, you may also want to check the Service user is able to request certificate on behalf of the user.
Solution
On the client machine, go to the Manage User Certificates. (certmgr.msc)
Under Personal, Certificates, you can right-click, All Tasks, Advanced Operations, Enroll On Behalf Of.
Click, Next and, Next. Browse Signing Certificate. Click OK.
Click Next and you will see the following list. Select Monofor Identity - Client and, click Next.
Now type your Username that you are trying to login, or browse it.
If you are able to see the following UI, you are able to obtain the client certificate. Which means your certificate process is OK.
I need to learn that Smart Card has been created on the machine or not
Description
Monofor Identity uses Virtual Smart Card on the machine. Virtual Smart Cards stored on the Machine’s TPM Module (v2.0) which is a secure tamper protected module keeps your critical authentication information secure.
To really know that Monofor Identity has been created your certificate correctly, you need to check machine’s Smart Cards.
Solution
Execute following Powershell command to know whether SmartCardReader and Smart Card has been created or not.
Get-PnpDevice | Where-Object { $_.Class -eq 'SmartCardReader' } | Format-Table -AutoSizeYou should see the similar result the following;
Status Class FriendlyName InstanceId
------ ----- ------------ ----------
OK SmartCardReader MONOFOR-TPM ROOT\SMARTCARDREADER\0000