Remote desktop connection prevents geting Tokens!.

1,266 views
Skip to first unread message

confide...@gmail.com

unread,
Jul 9, 2015, 9:06:57 AM7/9/15
to pkcs11...@googlegroups.com
I am using Pkcs11Interop.PDF.Demo sample to get tokens
and the server that i use for developing has a dongle plugged-in and running on Windows 2008R2.

The issue that i have is when i try to connect Windows 2008 server by using Remote desktop connection

I get tokens count as "0"
The dongle's own software is not able to find the dongle either
Ex: http://postimg.org/image/3oadm7lgp/

But when i try to connect Windows 2008 server by using Teamviewer
I get tokens count as "1" and i can sign the documents.
http://postimg.org/image/czsnx4rtp/

The producer company of the dongle says:
the cause of the issue,
When you try to connect to the server by using RDP,
RDP Client's searching the dongle on my own laptop i mean not on the win2008 server.

To prevent this use VNC or Teamviewer.
Is there anyway to get rid of this?

Because our customers don't accep installing Teamviewer because of security purposes.

Anybody faced this issue before?

Jaroslav Imrich

unread,
Jul 9, 2015, 5:47:44 PM7/9/15
to pkcs11...@googlegroups.com
Hello Hakan,

your problem is caused by a *built-in feature* of winscard.dll library which represents PC/SC [0] layer (low level subsystem providing access to the smartcard readers) in MS Windows. When winscard.dll detects there is an RDP session open, it disables access to the local readers, redirects all calls to the remote client and by doing this it effectively provides access only to the readers connected to the RDP client machine.

I am aware of three solutions that can prevent PC/SC redirection:
1. Don't use RDP. Really! This is the EASIEST, CHEAPEST and CLEANEST solution. Really!
2. Ask your vendor to replace PC/SC (winscard.dll) in his PKCS#11 implementation with something else. Good luck with that!
3. !!! I DON'T RECOMMEND THIS OPTION !!! You can hack your winscard.dll library and disable redirection feature just like few other guys did [1].

Personally I always stick with the first option.

Regards, Jaroslav



--
You received this message because you are subscribed to the Google Groups "Pkcs11Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at http://groups.google.com/group/pkcs11interop.

Hakan Şamcı

unread,
Jul 10, 2015, 2:59:11 AM7/10/15
to pkcs11...@googlegroups.com
Hello Jaroslav,

Many thanks for the prompt reply. 

Have a nice day.

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages