Spat's WebLog (Steve Patrick)

When things go wrong...

Smartcard logon over Terminal Services ( RDP redirection ) pII ( vista FYI )

Smartcard logon over Terminal Services ( RDP redirection ) pII ( vista FYI )

  • Comments 4

It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts planned as well. Anyway, this is kind of a heads up to an interesting issue with Vista.

 

We changed some of the way things work ( for the better ) in Vista. You may have noticed that scredir.dll no longer exists in Vista - much of that code was moved into Winscard.dll.   We also changed the way we call the CSP previously ( see http://blogs.msdn.com/spatdsg/archive/2006/10/06/Smartcards-and-cached-logons_2E002E002E00_.aspx ) we called from LSASS into winlogon.exe but we no longer do this in Vista - we go straight to the CSP.

 

Anyway - this post is marginally related to my other post Smartcard logon over Terminal Services ( RDP redirection )

 

Remember that the "server"  will call back to the client via the RDP protocol ( virtual channel ) and MSTSC.EXE loads winscard.dll on the client in order to process these IO requests. Well in this case the calls never made it up to that level of the code. In fact, they died in the RDP client.

 

If you have a CSP which calls SCardUIDlgSelectCardW, it may fail due to this issue. The RDP session is initaited from Vista...

 

Vista --> Vista : works OL

Vista --> XP: FAILURE

XP--> XP: works OK

XP--> Vista : works OK

 

Error on XP:

 

 

 

Event Type:       Failure Audit

Event Source:    Security

Event Category: Logon/Logoff

Event ID:           537

Date:                3/27/2007

Time:                12:32:26 PM

User:                NT AUTHORITY\SYSTEM

Computer:         XPDEBUG

Description:

Logon Failure:

            Reason:                        An error occurred during logon

            User Name:      

            Domain:                       

            Logon Type:      10

            Logon Process: User32 

            Authentication Package: Kerberos

            Workstation Name:        XPDEBUG

            Status code:      0xC000006D à STATUS_LOGON_FAILURE

            Substatus code:            0xC0000321 -> STATUS_SMARTCARD_SUBSYSTEM_FAILURE

 

 

Anyway - I hate leaving people in the dark with issues they may assume are due to the ISV's software .. so, even tho no fix is out yet... I have this FYI.

 

Fix is pending.. but again, if the behavior isnt changed, dont shoot the messenger.

 

[added on July  10,2007 ]Whooo hooo! It was fixed -public KB article is coming but if you need the fix now ask for the fix for article 939682

 

 

spatdsg

 

Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
  • Interesting.

    That explains the issue somewhat to me.

    I use smart card authentication to servers and I cant go Vista -> Server (win2k3) as there is a smart card error.  I can however MSTSC to a non-smart card server, and then hop from there to a smart card server, but keeping my smart card in my Vista box.

    I now know Im not going mad.  Looking forward to the fix.

  • Some more success found.  I guess this is a "use at own risk" as Ive not fully tested, but FYI.

    According to:  http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx#_When_to_use

    You can edit an RDP file (or default.rdp in Documents folder, hidden file) to use the

    enablecredsspsupport:i:0

    flag.  Not recommended, but I can now use CryptoFLEX smart cards formatted for XP to connect FROM vista TO Windows 2003 servers.

    Woo hoo!

  • I have seen this problem with ActivCard Middleware (software) and can solve the problem by introducing the registry entries for the new type of smart card.

  • Check "Getting Started with the Microsoft Remote Desktop Client and Smart Card Authentication" at http://www.tekworkshop.com/

    Step by step configuration is provided and some of the issues of connecting to legacy systems are addressed.

    Alex

Page 1 of 1 (4 items)