Skip to main content
Skip table of contents

Troubleshooting on Windows Passwordless Login

This document contains troubleshooting information about Passwordless Login on Windows.

First, if you have any problem about Passwordless Login on Windows, you need to enable Debug mode from Registry and restart the Monofor Identity Service.

Open Registry (regedit.exe), navigate to the following keys and edit Debug value 0 to 1.

CODE
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{417C7858-EE65-42AD-9F11-5BA27FB1FF64}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{0DC3BA90-52A8-4CA0-9FA7-3D29B24B8FDE}

You need to create a Logs directory in under C:\, it means you need to have a directory on path C:\Logs. Every log file will be created in here.

Now, restart the Monofor Identity Service.

User is trying to scan QR Code but after successful message, user stays in Logon UI

Description

After first install, user might have this issue if user has not signed out completely and sign-in again.

Solution

Sign-out completely and try to sign in again.

User is trying to scan QR Code but after successful message, user stays in Logon UI

Description

Monofor Identity uses TPM module on the machine. If virtual smart card has been broken in somehow, user can’t use this feature.

Solution

You need to remove smart card lines from the Windows\System32\monofor-identity-security.ini file and Uninstall / Install again.

First you need to uninstall the TPM virtual smartcard. For that, open command line and type following command.

POWERSHELL
monofor-tpm-service uninstall

Go to the monofor-identity-security.ini remove following lines sdinstance=ROOT\SMARTCARDREADER\0000 andsdinitialized=true;

CODE
[Settings]
deviceState=unlocked
userName=MONA
sessionId=9017004F-6049-4854-8522-CDD34853A0CB
userDeviceId=BAACC59F-7168-461D-B036-4FD19A358744
sdinstance=ROOT\SMARTCARDREADER\0000
sdinitialized=true
[MONA]
recoveryCodes=USER-RECOVERY-CODES
UPN=mona@monodc.local

Final result should be like following;

CODE
[Settings]
deviceState=unlocked
userName=MONA
sessionId=9017004F-6049-4854-8522-CDD34853A0CB
userDeviceId=BAACC59F-7168-461D-B036-4FD19A358744
[MONA]
recoveryCodes=USER-RECOVERY-CODES
UPN=mona@monodc.local

This will completely destroy virtual smart card on Windows and allow you to create a new one. Run the following commands on Powershell or cmd, type the following command and execute.

POWERSHELL
TpmVscMgr destroy /instance root\smartcardreader\0000
monofor-tpm-service install

You need to see the successful message (Output - Do not run the following messages).

POWERSHELL
PS C:\Users\Administrator> TpmVscMgr destroy /instance root\smartcardreader\0000
Destroying TPM Smart Card...
Initializing the Virtual Smart Card Reader...
Destroying the Virtual Smart Card Reader...
Initializing the Virtual Smart Card Simulator...
Destroying the Virtual Smart Card Simulator...
Initializing the Virtual Smart Card component...
Destroying the Virtual Smart Card component...
TPM Smart Card destroyed.
PS C:\Users\Administrator> monofor-tpm-service install
TPM Installed Successfully
PS C:\Users\Administrator>

User is trying to Scan QR Code and getting “The user name or password is incorrect.”

Description

When user try to Scan QR Code, user is getting “Success” message in Monofor Identity app but getting “The user name or password is incorrect.” on Windows Logon UI.

Windows Logon UI

Solution

Please follow the this solution.

I need to check that Certificate Enrollment is OK or not

Description

Sometimes we could need check that certification process is working fine or not.

Solution

On the client machine, go to the Manage User Certificates. (certmgr.msc)

Under Personal, Certificates, you can right-click, All Tasks and Request New Certificate.

Click Next, and Next again. If everything works properly, you need to see both Monofor Identity - Enrollment and Monofor Identity - Client certificates on the list.

Monofor Identity - Enrollment certificate is our Enrollment Certificate for Passwordless login processes. Select and click Enroll. If you have the following error message, it means your computer unable to talk with AD CS (Active Directory Certificate Authority). You can restart the client machine to solve the problem. If it didn’t fix again, try to restart ADCS on domain controller, or try to restart AD machine.

After you have successfully enrolled the certificate, you will see the following UI. You can click Finish.

Requesting Certificate on Behalf

Description

If Enrollment certificate OK and Enrollment process is OK, and you are not still able to login, you may also want to check the Service user is able to request certificate on behalf of the user.

Solution

On the client machine, go to the Manage User Certificates. (certmgr.msc)

Under Personal, Certificates, you can right-click, All Tasks, Advanced Operations, Enroll On Behalf Of.

Click, Next and, Next. Browse Signing Certificate. Click OK.

Click Next and you will see the following list. Select Monofor Identity - Client and, click Next.

Now type your Username that you are trying to login, or browse it.

If you are able to see the following UI, you are able to obtain the client certificate. Which means your certificate process is OK.

I need to learn that Smart Card has been created on the machine or not

Description

Monofor Identity uses Virtual Smart Card on the machine. Virtual Smart Cards stored on the Machine’s TPM Module (v2.0) which is a secure tamper protected module keeps your critical authentication information secure.

To really know that Monofor Identity has been created your certificate correctly, you need to check machine’s Smart Cards.

Solution

Execute following Powershell command to know whether SmartCardReader and Smart Card has been created or not.

POWERSHELL
Get-PnpDevice | Where-Object { $_.Class -eq 'SmartCardReader' } | Format-Table -AutoSize

You should see the similar result the following;

TEXT
Status Class           FriendlyName InstanceId
------ -----           ------------ ----------
OK     SmartCardReader MONOFOR-TPM  ROOT\SMARTCARDREADER\0000

Agent Files Path

Monofor Identity Agent uses below files in the Windows machine. It can be verify agent installation was successful or not.

CODE
C:\Windows\System32\monofor-identity-security.ini
C:\Windows\System32\libcurl.dll
C:\Windows\System32\zlib1.dll
C:\Windows\System32\QRCoder.dll
C:\Windows\System32\MonoSignCPHelper.dll
C:\Windows\System32\MonoSignCP.dll
C:\Windows\System32\MonoSignCPEx.dll
C:\Program Files\Monofor\Identity Client\Service\monofor-tpm-service.exe
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.