Microsoft Remote Desktop For Mac Smart Card
Evagret Homestead
In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it can't be unencrypted during transit.
When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user isn't prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user doesn't receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol can't determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see Smart Card Group Policy and Registry Settings.
My W8 machine is connected to domain zen. If I rdp to the W8 machine, I can log in as a local user without problems. If I try to log in as a domain user, I am prompted for a smart card instead of a password.
Some additional information on this one. If my connecting machine is on the same domain/network as the W8 machine, then I am prompted for a password as usual. If the machine is remote, on a different domain, then I am prompted for a smart card. In addition, the machine I am connecting from that gets the smartcard prompt is an XP box - so it may be an issue confined to mstsc.exe version 6.0.x - with 6.1 the authentication is managed prior to the rdp gui session being established.
Another thing you might look for is a program called "Bitguard". I started getting the Smart Card prompt when trying to access shared devices on my network. This was driving me crazy because every time I tried to disable it using Control Panel, I got a Windows Explorer crash or it was grayed out so I couldn't make the choice to use ID and Password. After much research, I read somewhere that a recently added program can cause this. I went to see what was recently installed and saw the culprit "Bitguard". As soon as that was uninstalled, I was able to access the network devices using ID and password with no other changes to my system.
I've had this issue, and can confirm that if you change your remote desktop client's login username to \, it logs in just fine to the currently logged in session and doesn't prompt for the smart card anymore. This was with Remote Desktop Connection for Mac.
My company security requirement is that admins have to use cert on PIV card to RDP into remote servers. I couldn't find much instruction on how to setup such environment. Does any have instruction on how to set up RDP session into servers using cert on PIV card reader?
PIV card is a kind of smart card. In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card logon scenario, the smart card service on the remote server redirects to the smart card reader connected to the local computer where the user is trying to log on. So if you have enabled smart card logon on your company's client PCs, you will be able to use the smart card to RDP to the remote servers.
You can refer following article for details.
Smart Card and Remote Desktop Services
-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services
For enabling smart card logon on client PCs in your company, you can read below article for reference:
Guidelines for enabling smart card logon with third-party certification authorities
-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities
So when I say, I am login into the RDP-host via smart-card meaning I am completing my smart-card authentication from the "Windows security" popup. So this way I can use Windows Hello for Business credential also instead of any physical PIV card.
At the same time, per doc. they say that Windows Hello cred must be with certificate. However, I did not have any certificate with my WHfB-cred still I was able to complete the authentication and open the VM
And secondly, if I am not using CredSSP RDP protocol, then I will taken directly on the VM's login screen. Basically I am NOT seeing "windows security" popup. So can I do the same smart-card authentication from VM's login screen ??
I have been using Microsoft Remote Desktop client for macOS to connect to remote Windows 10 computers and have the RDP client forward my smart card over to the remote machine. I don't use the smart card for login to the remote machine, but I use it once forwarded with the browser to login to a PIV enable website.
If I go to a Windows 10 computer and forward the smart card to the same remote PC it works just fine (using the same card and reader). So, it seems like something has broken in a recent version of the client.
The application running on the Remote Desktop (remote computer) communicates with your smart card that is connected locally to your computer. After a few moments, the operation is completed (for example, the signed email is sent).
I used to be able to redirect a smart card to the remote windows computer. I recently upgraded the RDP app on Mac and now the option to redirect a smart card is greyed out. I've tried removing and re-adding the card but no luck. Has anyone seen this behavior before?
I am trying to use SmartCard Redirect on a MacOS 10.12 machine to RDP to a Win10 machine. I can use Win7 RDC through Parallels on the same machine and I'm prompted for PSA and PIN normally which allows a login. When using RoyalTSX, it prompts for username/password. If I specify the PSA, it tells me I have to use a smart card, ok, fine, "other user" > "PSA"... "Connect a smart card". The smart card (yubikey) isn't shown as an available option. Smart Card is enabled under Redirection. NLA is disabled, but falls back to enable apparently. Shouldn't RoyalTSX detect the smart card that was able to be used via Win7 RDC?
To enable it, just make sure your smart card is visible in Keychain Access and enable the smart card redirection feature in the "Redirection" properties of your RDP connection in Royal TSX. How to make your smart card appear in Keychain Access heavily depends on the manufacturer of the card reader and smart card. Please check with your vendor if your hardware is actually supported on macOS and where to get the required software. Then, after installing the software, open the "Keychain Access" app and check if your smart card appears in the sidebar. Additionally, if you want to log in to the remote session using the smart card, note that smart card login + NLA is not supported and thus NLA needs to be disabled in this scenario.
That being said, unfortunately the implementation, which is based on the open source library "FreeRDP" is far from being stable and works only in some environments and some specific hardware. That's why we've chosen to label the feature "Experimental" in the UI.
If all the prerequisites are met in your environment and it still doesn't work, I'd appreciate it if you could post a "+1" on one of the FreeRDP issues to raise the awareness of the developers about this problem.
d3342ee215