Windows Desktop Domain Login Use Case

Company: Crayonic B.V.

Audience: IT administrators, security professionals, system integrators

1. Introduction

1.1 Purpose

This document describes how to configure and deploy Crayonic digital wallets for Windows Desktop domain login using both FIDO2 passkeys and X509 PIV certificates. This enables passwordless, biometric authentication for cloud, hybrid, or on-premises Microsoft Active Directory environments.

1.2 Scope

This use case covers:

X509 PIV Certificate-based Windows Domain Login - Traditional smart card authentication using PIV protocol
FIDO2 Passkey-based Windows Domain Login - Modern passwordless authentication using FIDO2/WebAuthn
Hybrid Azure AD/Entra ID Integration - Supporting both on-premises and cloud-based authentication
Enterprise deployment scenarios - Including credential provisioning, management, and lifecycle

1.3 Reference Documentation

For detailed step-by-step instructions with screenshots and specific configuration examples, refer to the comprehensive PDF guide:

Crayonic Enterprise Setup and Tests PDF (2.5 MB)

This document provides the complete technical implementation guide that this use case is based on, including: - Detailed screenshots of each configuration step - Specific command-line examples and registry settings - Troubleshooting scenarios with visual examples - Complete certificate template configurations - Test case procedures and validation steps

1.3 Supported Crayonic Devices

Crayonic KeyVault - Full-featured smart authenticator with display and biometrics
Crayonic Badge - Wearable authenticator for proximity-based access
Crayonic Badge 2.0 - Next-generation badge (coming 2026)

2. Authentication Methods

2.1 X509 PIV Certificate Authentication

How it works: - Uses enterprise-grade X509 certificates stored in Crayonic devices - Leverages Windows native PIV protocol support (no drivers required) - Provides strong cryptographic authentication with biometric verification - Compatible with existing PKI infrastructure

Benefits: - Works with Windows 7+ (legacy support) - Integrates with existing Certificate Authority infrastructure i.e. MS Certificate Services - Supports smart card redirection over RDP - Compatible with VPN, 802.1X, and other certificate-based systems

User Experience: 1. User connects Crayonic device to Windows computer or comes within range of Crayonic Bridge 2. User authenticates with fingerprint or PIN on the device if not pre-authenticated 3. Windows automatically uses the certificate for domain login 4. No password required 5. When used with Crayonic Bridge, the login is automatic when the user approaches the workstation according to pre-defined distance thresholds 6. When used with Crayonic Bridge, the logout is automatic when the user moves away from the workstation according to pre-defined distance thresholds

2.2 FIDO2 Passkey Authentication

How it works: - Uses FIDO2/WebAuthn standard for passwordless authentication - Integrates with MS Azure AD/Entra ID for hybrid environments - Provides phishing-resistant authentication - Allows for biometric verification on the users Crayonic device for roaming scenarios

Benefits: - Modern, standards-based approach - Phishing-resistant by design - Works with Windows 10 1903+ and Windows 11 - Seamless integration with Microsoft 365 and Azure services - Support web browser based authentication from anywhere and any device - Compatible with Windows 365 and MS Cloud PC VDI sessions

User Experience: 1. User connects Crayonic device to Windows computer or comes within range of Crayonic Bridge 2. User authenticates with biometrics on the device if not pre-authenticated 3. Windows natively handles the authentication flow 4. Seamless login without passwords using biometrics on the device 5. When used with Crayonic Bridge, the login is automatic when the user approaches the workstation according to pre-defined distance thresholds 6. When used with Crayonic Bridge, the logout is automatic when the user moves away from the workstation according to pre-defined distance thresholds

3. Deployment Prerequisites

3.1 Infrastructure Requirements

Active Directory Environment: - Active Directory Domain Services for on-prem or hybrid environments - Active Directory Certificate Services for X509 certificates

Azure AD/Entra ID (for FIDO2): - Azure AD Premium P1 or P2 - Hybrid Azure AD join or Azure AD join - FIDO2 security keys enabled in authentication methods

3.2 Client Computer Requirements

Hardware: - Windows 10 (1903 or later) or Windows 11 - At least one USB 2.0+ port

Software: - Domain-joined to Active Directory for X509 certificates or Entra ID-joined for Passkeys - .NET Framework 4.8 or later - Windows Hello for Business configured (for FIDO2)

3.3 Administrative Accounts

Required accounts: 1. Enterprise Admin - For CA configuration and certificate template creation 2. Certificate Issuer - For provisioning certificates to devices 3. Standard User - Target account for authentication testing

4. PKI Configuration (X509 PIV Method)

📋 Detailed Instructions: For complete step-by-step configuration with screenshots, see the Crayonic Enterprise Setup PDF - Section 2: PKI Configuration (pages 3-18).

4.1 Certificate Templates

Two certificate templates must be created:

Smart Card Logon Template: - Based on built-in "Smartcard Logon" template - Compatibility: Windows Server 2012+ - Key usage: Digital Signature, Key Encipherment - Enhanced Key Usage: Smart Card Logon, Client Authentication - Subject name format: CN=username,DC=domain,DC=com

Data Encryption Template (Optional): - Based on built-in "Basic EFS" template - For file encryption and secure email - Long validity period recommended - Key usage: Key Encipherment, Data Encipherment

4.2 Certificate Authority Configuration

Validity Period:

certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "30"
net stop certsvc
net start certsvc

Template Publishing: - Enable new certificate templates in Certificate Authority console - Configure appropriate permissions for certificate issuers - Ensure CA is registered in NTAuth store

5. Device Provisioning

📋 Detailed Instructions: For complete provisioning procedures with screenshots, see the Crayonic Enterprise Setup PDF - Section 3.1: Public Key Infrastructure (pages 19-41).

5.1 PIV Certificate Provisioning

Using Crayonic PIV Manager:

Initialize Device:
Connect Crayonic device to enrollment workstation via USB cable
Launch KeyVault PIV Manager
Set PIN (4 digits minimum), write down PUK if needed for PIN recovery by end user
Generate Authentication Certificate:
Navigate to Authentication tab
Generate new RSA key pair (2048-bit recommended)
Provide subject DN: CN=username,DC=domain,DC=com
Select appropriate Certificate Authority
Complete certificate issuance
Generate Encryption Certificate (Optional):
Navigate to Key Management tab
Generate new RSA key pair
Leave UPN field empty for encryption certificates
Complete certificate issuance

5.2 FIDO2 Passkey Provisioning

Using Crayonic Credential Manager:

Azure AD Registration:
Ensure FIDO2 is enabled in Azure AD authentication methods
User navigates to Security Info page
Adds security key as authentication method
Completes registration with biometric verification
Windows Hello for Business:
Configure WHfB policies via Group Policy or Intune
Enable FIDO2 security key sign-in
Users can register devices during first login

6. User Authentication Scenarios

PIV Certificate Method: 1. User connects Crayonic device 2. Windows displays smart card login prompt 3. User enters PIN or authenticates with biometrics on device 4. Windows validates certificate and completes login

FIDO2 Method: 1. User connects Crayonic device 2. Windows displays security key login option 3. User authenticates with biometrics on device 4. Windows Hello for Business completes authentication

6.2 Remote Desktop (RDP)

Configuration: - Enable smart card redirection in RDP client - Ensure target server supports certificate authentication - Configure Network Level Authentication appropriately

User Experience: 1. Connect Crayonic device to client computer 2. Launch Remote Desktop client 3. Authenticate with device when prompted 4. Smart card is redirected to remote session

6.3 VPN Authentication

Supported VPN Clients: - Built-in Windows VPN client - Cisco AnyConnect - OpenVPN (with smart card support)

Configuration: - Configure RADIUS server for certificate authentication - Set up appropriate certificate validation policies - Enable smart card authentication in VPN client

7. Enhanced Security Features

7.1 Crayonic Credential Provider

Purpose: - Improves login/logout experience for X509 authentication - Provides cleaner UI similar to FIDO2 login - Removes PIN dialog from login screen

Installation: - Deploy via Group Policy or shared network folder - Compatible with Windows 7+ - Supports X509, Passkey, and password credentials

Features: - Automatic login when user approaches workstation - Automatic logout when user moves away - Requires Crayonic Badge and Crayonic Bridge - Configurable proximity distance settings

7.3 Secure USB Mass Storage

Capabilities: - 32-128MB encrypted storage (model dependent) - AES encryption with biometric unlock - Secure file storage and transport - BitLocker To Go integration

8. Management and Lifecycle

8.1 Certificate Lifecycle

Renewal: - Certificates can be renewed before expiration - Use KeyVault PIV Manager for renewal process - Maintain same key pair or generate new keys

Revocation: - Revoke certificates in CA console when device is lost/stolen - Publish updated Certificate Revocation List (CRL) - Consider emergency revocation procedures

8.2 Device Management

PIN Management: - Users can change PIN via device menu - PIN reset requires PUK code - PIN blocked after 5 failed attempts

Device Reset: - Factory reset available through device menu - Removes all certificates and resets PIN/PUK - Requires re-provisioning of certificates

8.3 Enterprise Management

Crayonic Gateway Integration: - Integration with existing IAM solutions

9. Troubleshooting

📋 Detailed Instructions: For additional troubleshooting scenarios with screenshots, see the Crayonic Enterprise Setup PDF - Section 3: Test Cases and troubleshooting examples.

9.1 Common Issues

Certificate Authentication Failures: - Verify certificate is valid and not expired - Check certificate chain and root CA trust - Ensure NTAuth store contains issuing CA - Validate certificate template configuration

FIDO2 Authentication Issues: - Confirm FIDO2 is enabled in Azure AD - Verify Windows Hello for Business configuration - Check if FIDO authentication is enabled on end point - Validate user registration status

Smart Card Redirection Problems: - Enable smart card redirection in RDP client - Check Group Policy settings for smart card redirection - Verify target server supports certificate authentication - Consider Remote Credential Guard for non-domain clients

9.2 Logging and Diagnostics

Event Logs: - Security log: Event 4768 (Kerberos authentication) - System log: Smart card service events - Application log: Certificate validation events

Diagnostic Tools: - certutil command for certificate validation - Device Manager for smart card reader status - Event Viewer for authentication events

10. Best Practices

10.1 Security Recommendations

Use strong PIN policies (avoid simple patterns)
Implement certificate validity monitoring
Regular security audits and compliance checks
Secure storage of PUK and management keys
Network segmentation for certificate services

10.2 Deployment Guidelines

Start with pilot group for testing
Provide user training on device usage
Establish clear support procedures
Document configuration for disaster recovery
Plan for certificate renewal cycles

10.3 User Experience Optimization

Deploy Crayonic Credential Provider for improved UX
Configure appropriate timeout settings
Provide clear instructions for PIN management
Consider proximity login for frequent users
Implement self-service password reset alternatives