Smartcard logon over Terminal Services ( RDP redirection )

re: Smartcard logon over Terminal Services ( RDP redirection )

kert — Thu, 05 Apr 2007 23:10:27 GMT

Hey, i see you are pretty knowledgeable in MS smart card topics, and win security internals in general.

Im dealing with the same issues pretty often myself, i have written a CSP for a national smart card, Vista cardmodule alpha rev for the same card, done a "fake" winlogon-capable CSP, custom full GINA implementation and various related bits and pieces.

There is one thing that is very poorly documented, the automatic SC certificate propagation ( used to be SCCertProp winlogon notififaction package and is now a separate service in Vista ) .. is there any docs on how to configure that ? My main concern is to remove the certs when smart card is removed.

I also have tried to get my Winlogon notification DLL, ISensLogon inherited class and WMI events to get notifications on smart card removal, but none of them have worked for SC events, i can catch other events like logon and stuff fine.

So it would be nice if anyone could shed some light on this, asking in newsgroups has resulted in nothing so far.

Just as a reference, one real funny thing that i have tried is to get Win2K Smartcard PKI to interoperate with Heimdal Kerberos Domain ( using custommade certificates and all that ) so that Win2K desktop machine could log onto Heimdal domain, but we were ultimately stalled on an issue where some bit or piece of protocol simply had a byte or two wrong, and it didnt work out.

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Sun, 08 Apr 2007 06:43:58 GMT

For some related policies\config around the new CertPropSvc in Vista - see Shivaram's blog here: http://blogs.msdn.com/shivaram/archive/2007/02/26/smart-card-related-group-policy-settings-in-vista.aspx

However, it doesnt take care of the removal events to cleanup the SC certs (it does roots "Clean up certificates on smart card removal" )

You can also use SCardGetStatusChange to do any store cleanup if you wanted to.

spat

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Sun, 08 Apr 2007 18:23:50 GMT

https://msdn2.microsoft.com/en-us/library/ms801382.aspx

IOCTL_SMARTCARD_IS_PRESENT

re: Smartcard logon over Terminal Services ( RDP redirection )

kert — Wed, 11 Apr 2007 21:08:37 GMT

"You can also use SCardGetStatusChange"

Yes i know, but SCardGetStatusChange needs to have a separate thread running .. under which process ?

I could launch it from a winlogon notification package, but these are deprecated under Vista.

Also SCardGetStatusChange has one drawback: it does not take a synchronization parameter that would cancel the wait ( either a signal, mutex, semaphore or something ) so i have two options:

1) do SCardGetStatusChange with a short timeout and loop while checking for quit condition

2) kill the thread forcibly when quit is needed

neither is a very clean approach. i utilize the 1st in a CSP that i have developed and it results in registry access in each loop .. ie unneeded system load.

re: Smartcard logon over Terminal Services ( RDP redirection )

Dan Griffin — Mon, 23 Apr 2007 01:22:01 GMT

Best way to handle this would probably be via an NT service, which could get session change notifications from the service control manager. You'd have to spin up one thread per user session, due to the nature of SCardGetStatusChange.

Note that the proper way to cancel the GetStatusChange wait is via SCardCancel.

Smartcard logon over Terminal Services ( RDP redirection ) pII ( vista FYI )

Spat's WebLog (Steve Patrick) — Tue, 10 Jul 2007 20:35:43 GMT

It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts

re: Smartcard logon over Terminal Services ( RDP redirection )

Lalit — Wed, 19 Dec 2007 17:49:23 GMT

How does WinScard determines if reader is remote or not? Could you please elborate on it.

Thanks.

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Sat, 05 Jan 2008 01:38:11 GMT

this is really an internal implementation - what are your goals here?

Perhaps we can address it more directly?

re: Smartcard logon over Terminal Services ( RDP redirection )

Lalit — Wed, 09 Jan 2008 12:50:10 GMT

Actually, I would like to understand how Winscard & scredir works.

I did small test using Process Explorer, if smart card reader is available (no matter if remote or locally) and you open RDP client, RDP client load both dll's i.e. WinScard.dll & Scredir.dll.

Does this means that these two dll's works independently? becuase if Winscard is actually detect if smartcard is remote and then calls scredir.dll then why Scredir.dll is loaded even if smartcard is local.

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Wed, 09 Jan 2008 21:30:02 GMT

They work together ( in XP\2k3 ) in Vista they were merged into winscard.dll if I recall.

Anyway - we basically query the current session to see if it is a remote session - if it is, we then set some flags in the SCARDCONTEXT which is querieed when the SCard function is called - like SCardReconnect -- it will then redirect the call thru scredir if the remote flag was set in the context.

re: Smartcard logon over Terminal Services ( RDP redirection )

Kalle — Thu, 27 Mar 2008 11:41:54 GMT

Hi, is it possible to access a smartcard reader that is physically connected to a 2K3 server within a RDP session? If I disable smartcard redirection within the client I expected, that I can access the smartcard readers connected to the server, but instead a call to SCardEstablishContext fails.

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Mon, 31 Mar 2008 23:20:32 GMT

I do not believe this is possible

re: Smartcard logon over Terminal Services ( RDP redirection )

Sid B — Mon, 23 Jun 2008 19:33:13 GMT

I am so happy to have found this blog...enormous help in understanding SC with TS.

I am a newbie to this so please need some help.

I have a 2K3 server with Terminal Server and about to load Gemalto drivers on it. My clients are however Win 2000 (yes!! - may move to Vista later this year). The company has deployed successfully SmartCard and now wants that when users who access TS need to have their SmartCard redirection. Any help or tips.? Another engineer who worked on this tested but said it took a long long time to authenticate and so gave up effort. But this is being revisted and The version of Reflex 2.0 PCMCIA. Are there any prior art on specific CSP related issues that could cause this time delays?

thanks in advance.

/Sid

re: Smartcard logon over Terminal Services ( RDP redirection )

Novice — Wed, 25 Jun 2008 00:29:20 GMT

Hi,

Is it possible to detect whether the user has logged in through a smart card or not,within a DLL which is meant for capturing the logon notifications , through the ISensLogon implementation route?

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Wed, 25 Jun 2008 04:43:28 GMT

First to Sid..

The best I can give you is to test yourself, and make sure that you are on the latest CSP version from your vendor. Legally, I dont think I can officially recommend a specific vendor, as it can come back as "microsoft said use X left us out" or some such nonsense.

I'm sorry..

spat

re: Smartcard logon over Terminal Services ( RDP redirection )

rob Crellin — Tue, 08 Jul 2008 12:00:12 GMT

I have a VDI issue reproducable were u can log on to a Remote desktop session to XP with a smart card and remove it and the session locks etc as many times as you like, if you log off and log back on u can again log on with a smart card but the smart card removal isnt recognised. If you reboot the VDI XP session the same behaviour repeats. this happens with rdp 5 and 6.

re: Smartcard logon over Terminal Services ( RDP redirection )

Smitty — Tue, 08 Jul 2008 12:23:22 GMT

what smartcard vendor are you using ?

re: Smartcard logon over Terminal Services ( RDP redirection )

rob crellin — Tue, 08 Jul 2008 12:27:00 GMT

This problem is the same with GemPlus and Active Identity and regardless of the type of terminal you use, its the same on Pc's to VDI or Wyse and HP terminals to VDI, after log off and log back on the card removal is nor recognised, even though the card management software sees the card and see it being removed

re: Smartcard logon over Terminal Services ( RDP redirection )

Lalit Kaushal — Tue, 26 Aug 2008 15:39:20 GMT

Hi Spat, what are changes done for Smartcard in terminal server Windows 2008? and how it works with W2K8. Thanks.

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Thu, 28 Aug 2008 05:47:35 GMT

not a lot new that I can think of - maybe if you are looking for something specific I can help?

We got rid of scredir.dll ..

We move to rpc calls for smartcard service calls.

Specific to TS and smartcards?

re: Smartcard logon over Terminal Services ( RDP redirection )

Marc — Tue, 09 Sep 2008 18:43:49 GMT

Hi Spat

We want to authenticate on terminal servers (in HQ) using smartcard from a branch office which is connected by a 4Mbps WAN link with a network latency of 250ms. Log on process lasts up 4 minutes. We're using WinXpSp2, w2k3 terminal server (rdp/ica) with Axalto v2c cards and ActivIdentity CSP. Do you have any hints to speed up authentication?

thanks in advance

cheers

Marc

re: Smartcard logon over Terminal Services ( RDP redirection )

Lalit Kaushal — Mon, 22 Sep 2008 12:29:11 GMT

Hi Spat, Thanks for the info. I am looking for changes specific to Smartcard on TS?

re: Smartcard logon over Terminal Services ( RDP redirection )

D. Krebs — Mon, 06 Oct 2008 19:42:11 GMT

This is for Rob Crellin,

Did you get any resolution to your issue where the smartcard removal is not recognized. We are having teh exact same issue using terminal connection to VDI using smartcards.

Thanks

re: Smartcard logon over Terminal Services ( RDP redirection )

Rick — Tue, 21 Oct 2008 15:28:36 GMT

Hi, I have a problem with a Vista client with a smartcard reader that's needed to authenticate to an application that can only be accessed via RDP. The RDP logon is plain Windows user authentication. Then the user starts the application but after the PIN code is typed in, we get the message "card is not in the reader".

The smartcard option is switched on on the localrsources of the client side. Thanks in advance!

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Tue, 21 Oct 2008 18:39:21 GMT

Here is an easy test.. when you RDP to the server , and the smartcard is in the reader, does a PIN prompt for logon come up?

I realize you use standard user\password to logon - but if the PIN prompt never even shows on the logon page, there is a good chance that the driver or something isnt installed right.

spat

re: Smartcard logon over Terminal Services ( RDP redirection )

Leon — Thu, 20 Nov 2008 01:01:10 GMT

Spat,

When we RDP to the server we get the "The card supplied requires drivers that are not present on this system. Please try another card" error.

We're using a Gemalto card. Do I need to install the third part software on the server or can I download the Base CSP (KB909520)?

Thanks, Leon

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Sun, 23 Nov 2008 05:24:25 GMT

Depends on the cards- if the ISV wrote a card module - then yest it needs to be installed. Sounds like a possible driver issue - does it all work OK locally?

Generic Terminal Server PKCS11 Library

Peter L — Tue, 16 Dec 2008 23:02:48 GMT

I found this URL, what I am trying to do which I don't think will be possible is to have a PKCS11 Library over a RDP session. For various reasons we login via RDP to a W2K3 terminal server with username and password. Then I would like to consume on the Terminal Server the PKCS11 Token that is inserted into my desktop machine. I have a working PKCS DLL and can interface into it on the local machine, but what "generic" DLL would I use on the terminal server that would then proxy those requests onto my local workstation.

Don't think this can be done somehow. The scredir and wincard come up as a non-pkcs11 library.

Can service on remote server monitor smart card on rdp client?

skybird — Wed, 25 Feb 2009 06:03:39 GMT

Hello, I'm skybird and I need your help.

I develped a program, it is client-service model. The service monitors and accessed the smart card and client communicates with the service. It is perfectly running on the local machine. But when I install it in server and RDP to server from client, the problems show.

The smart card is in client and my program is in server. The service can not monitor and access the smart card in client. Would you please help me ?

re: Smartcard logon over Terminal Services ( RDP redirection )

Håkan Eriksson — Wed, 08 Apr 2009 16:43:46 GMT

Hello,

I have a USB CCID combined reader that holds both a smart card reader and a biometric fingerprint sensor. The biometric device is accessed via SCardControl. On Vista(i.e. server side running vista, client can be vista or xp) the MS usbccid.sys driver is used and I can use both smartcard and fingerprint in a remote session(either using RDP or ICA/Citrix, both are ok).

However, on XP (local session) the version of usbccid.sys(5.2.3790.2444) was not good enough (could not access bio-part via SCardControl) and our company developed its own ccid-driver.

Now, when trying to use our reader in a remote session where the server is running XP I get a problem. I can either access the smart card funtionality (when reader is 'smart card redirected') or the biometric functionality (when reader is USB redirected(3rd part product from FabulaTech in my RDP-session, and build-in usb-redirection in ICA) but not both at the same time.

My guess is that problem origins from redirection and driver usage. Been surfing around a bit to understand how things work togeather but don't have 100% clear picture. Is there any hint you can give on this problem?

Regards

Håkan Eriksson

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Tue, 28 Apr 2009 19:51:57 GMT

Håkan

Wow - not sure where to start on this one. The client is XP - what is the third party product you mention for USB redirection? It sounds like it is not standard scredir redirection is this correct?

re: Smartcard logon over Terminal Services ( RDP redirection )

Håkan — Wed, 29 Apr 2009 12:04:28 GMT

Hi Spat,

The third party product is this one: http://www.fabulatech.com/usb-for-remote-desktop.html

I don't know how it's implemented but it seems that once I allow it to redirect my USB-reader the local system does not recognize that I have a smart card reader plugged in anymore. So, as you guess, scredir is probably not involved.

However, when using the standard scredir redirection - do you know if redirection of SCardControl calls should work?

Thanx

/Håkan

re: Smartcard logon over Terminal Services ( RDP redirection )

Paul Tarricone — Wed, 24 Jun 2009 15:48:37 GMT

I'm trying to figure out how Windows logs bad PIN entries and Card lockout entries. I need to be able to log the username of those users who attempt to logon with bad PINs or the username of a user who locks out his smartcard due to multiple bad PINs. I have ActivClient with Windows 2008 TS. I get an event 4673 when the user tries to logon but uses a bad PIN. THe details of the event don't provide me the user name. Is there a way to configure my system get this info?

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Sat, 27 Jun 2009 17:22:18 GMT

I don't believe so - unless ActiveClient has a method. But think of it like this - the cert is simply using a PIN for private key access, the logon process needs that before we can even get to a logon event.

re: Smartcard logon over Terminal Services ( RDP redirection )

Nguyen Trung Thanh — Mon, 20 Jul 2009 13:02:42 GMT

I am getting an issue with Smart card redirection via Terminal Session:

Below is what I tried:

1. Client: Windows 7 (RC) or Windows Server 2003 SP2

S/C with SafeSign IdentityClient

2. Server: Windows server 2008 Termial Services.

Certificate in the Smart card is in the IE certificate store(IE in the terminal session).

The IdentityClient can browse certificates in the S/C

But, certificate is not in the MY store of the terminal session.

I do not use smart card logon. Just want to redirect it to the terminal session. (it works if the server is a windows server 2003 system).

re: Smartcard logon over Terminal Services ( RDP redirection )

SpatDSG — Sat, 25 Jul 2009 20:08:10 GMT

So you want the smartcard certificate to be propagated to the terminal server store? Is the certificate propagation service running? Some smart cards have their own propagation methods as well - does yours?

spat

re: Smartcard logon over Terminal Services ( RDP redirection )

Arwan — Wed, 19 Aug 2009 11:21:11 GMT

dear all.

i'm deploying Virtual Desktop Infracture in my customer, we use APP-V to push the application to VDI. The case come, the application need to be authenticate with Finger Print (Acer Finger Print), when the thin client pc RDP to the VDI, the application cannot detect the finger print authentication... FYI we user RDP version 6.0.

any suggest?

thanks, and best Regards,

Arwan

re: Smartcard logon over Terminal Services ( RDP redirection )

Wietze Strik — Tue, 01 Sep 2009 15:58:56 GMT

I got the same message when I loggenon with TS. Some users worked fine. I fixed the problem by deleting the GTB2WIN.INI file.

Hope it helps.

Best regards, Wietze

re: Smartcard logon over Terminal Services ( RDP redirection )

Wietze Strik — Tue, 01 Sep 2009 16:09:51 GMT

Oops, forgot to mention that my problem was with Fortis MoneyManager, and the fix only works for this program.