Integration with Windows
Overview
This document describes the procedure to configure the Windows workstation as a passwordless authentication solution for your organization's users. This integration will allow the users to log in to their Windows workstations leveraging their biometrics. The biometric options include Touch ID / Face ID , and LiveID.
List of Topics:
Before you Begin
You will need the following resources and privileges to complete this integration:
- Install the BlockID Authentication Broker application on the Linux/Unix server. The BlockID Authentication Broker installation (.zip) file is named as
blockIdSetup-version-number.zip
. To obtain the BlockID Authentication Broker installation file, please contact your 1Kosmos representative. For more information, visit the Installing BlockID Authentication Broker topic. - Install the BlockID Credential Provider (CP) application on the Windows workstation. The BlockID CP Executable (.exe) file is named as
blockIdSetup-version number.exe
. To get the BlockID CP Executable file, please contact your 1Kosmos representative. For more information, visit the Installing BlockID Credential Provider topic. - Perform the following NDES setup and configuration:
- Mobile Phone:
- iPhone running
IOS 12.3.1
or higher. - Mobile phone running
Android 6.0
or later.
- iPhone running
- Download and install the BlockID mobile application (Compatible with iOS and Android devices). Visit the BlockID for Android or BlockID for iOS links to download the application.
Use cases
The use cases that need to be performed are as follows:
- User Registration
- Windows Login
User Registration
The user must register with the BlockID mobile application. User registration in BlockID is seamless. A registered user can leverage their biometrics for passwordless authentication. The biometric options include Touch ID / Face ID , and LiveID. An example of what user registration looks like can be found here.
Perform the following steps to register a user within the BlockID mobile application:
- Open the email sent by 1Kosmos on a desktop or laptop browser.
- Install BlockID mobile application by scanning one of the following QR codes below:


- Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of BlockID Mobile Application User Guide for step by step understanding of the Biometrics Enrollment process within the BlockID Mobile application.
- Click the personalized magic link (for BlockID Platform) given in the email that says
Click here
on your laptop. The BlockID platform’s single sign on screen is displayed with the QR code for your company. - On the BlockID mobile application’s Home screen, click on the ‘Scan QR’ button.
- Scan the QR code. The confirmation pop-up window is displayed asking to
Allow BlockID to access this device’s location?
. - In the confirmation pop-up window, select
Allow only while using the app
. The Authentication screen is displayed with thePlease authenticate using Biometric_option from 1kosmos
message. - Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with
Thank you! You have successfully authenticated to Log In
message upon successful authentication.
Windows Login
The following steps are provided for logging into the Windows workstation using BlockID mobile application. Before performing these steps, you need to install and configure the BlockID Credential Provider (CP) on the client’s Windows workstation. To check the example of a Windows login, click here.
- On your Windows login screen, click on the
BlockID
option. The login screen is displayed with the QR code to be scanned from your BlockID mobile app. - On the BlockID mobile application’s Home screen, click
Scan QR
. The Confirmation pop-up window is displayed asking toAllow BlockID to access this device’s location?
. - In the confirmation pop-up window, select
Allow only while using the app
. The Authentication screen is displayed with thePlease authenticate using Biometric_option from 1kosmos
message. - Click Authenticate and perform the appropriate authentication method.
- The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication. The app will send the requested data to CP This allows users to log in to their Windows workstation by scanning a QR code.
- To unlock your Windows workstation: click on the login name mentioned. The push notification will get sent to you on your mobile device with the message heading "BlockID authentication request Login Alert".
- Click on the push notification message. This allows users to unlock their workstation via a push notification.
Troubleshooting Steps
‘NDES server is not reachable‘ message is displayed and NDES gets disabled.
- Navigate to
IIS Manager > Default Apps > SCEP > Properties > Identity
- Select
default identity
- Select
custom
- Enter username and password for NDES service account again
- Restart IIS
"User name and Password Invalid" error message is displayed.
Cause:
The user is trying login to machine A
through BlockID, and after successful login, the user tries to access machine B
using RDP to login through BlockID and vice versa (from machine B
to machine A
) by performing the following steps:
Step 1
Start
VNC > Enter the name of the machine A > Select BlockID option to login > Scan QR and perform BlockID authentication using BlockID app
The user will be logged in tomachine A
upon successful authenticationStart
RDP > Enter the name of the machine B > Select BlockID option to login > Scan QR and perform BlockID authentication using BlockID app
The user will be logged in tomachine B
upon successful authentication
Step 2:
Start
VNC > Enter the name of the
machine B> Select BlockID option to login > Scan QR and perform BlockID authentication using BlockID app
The user will be logged in tomachine B
upon successful authenticationStart
RDP > Enter the name of the
machine A> Select
BlockIDoption to login > Scan QR and perform BlockID authentication using BlockID app
Receives an error message "User name and Password Invalid"
Resolution:
Perform the following steps:
Verify the following settings on both the machines:
Start
RDP > click on "show options" > navigate to the Local resources > Local device and resources, click "More" > Verify and select the check box for "Smart Card or Windows Hello for Business" option
Compare the policies configured on
machine A
andmachine B
and request a user to update the group policy settings onmachine B
:
Log in as admin > open the command prompt > run the "gpupdate" command
The “Request has expired” message is received when a user tries to log in to / unlock the Windows workstation.
Log received on BlockID Admin Console
request TS: {some number}
Server TS: {some number}
Allowed span: 60
Logs received on CP:
request has expired
Cause:
If a computer clock is out of sync with standard time, a request originates from the computer, but when it reaches the console it finds that the request is out of sync. BlockID has a time span of 60 seconds
to allow the request.
Resolution:
Change the config
in Tomcat to allow for more time or reset the computer clock to be in sync with standard time.
Domain controller rejects the client certificate of the user used for smart card logon.
Cause:
Certificates are not available on the Certificate Authority (CA).Resolution:
- On the desktop > navigate to Start > In the Search box, type `mmc.exe` > Enter.
- In the Microsoft Management Console (MMC) window, navigate to File > Add/Remove Snap-in.
- In the Add or Remove Snap-in window, select `Certificates` Snap-in > click Add.
- In the Certificates snap-in window, select ‘Computer account’.
- In the Select Computer window, select `Local Computer`> click Next > Finish.
- In the Add or Remove Snap-in window, click OK.
- Expand the Certificates Snap-in > right-click on the Personal folder > select All Tasks > click Import.
- In the new Certificate Import wizard, click Next > click Browse to select a .PFX file and click Next.
- Enter the password (in case, you have entered a password while creating a .PFX file).
- Make sure that the option `Mark this key as exportable. This will allow you to back up or transport your keys at a later time.` is selected > click Next.
- Select the appropriate Certificate Store option to save the certificate OR select `Personal` in case of using Web Certificate.
- Click Finish.
- In the Certificate Import Wizard, click OK. The certificate will be displayed in the certificate list.
The "Error while communicating with https://`tenanturl`/`port`/healthz" message is displayed when a user scans the QR code for logging into the Windows workstation.
Cause:
On the Windows workstation, the proxy application URL is configured with "http" whereas in the CP application the proxy URL is configured with "https".
Resolution:
- In the BlockID CP console, navigate to
BlockID Configuration > General > BlockID Service > State > click Stop
2 Click Apply Changes - In the Settings Saved dialog box, click OK
Navigate to General > BlockID Service > State
and click Start to start the service- Click Save & Close