Setting up Windows Remote Desktop Smart Card logon

1. Terminal server configuration

Supported Operating Systems: Microsoft Windows Server 2008R2 and 2012R2

1.1 Install WWPass software

Install WWPass Security Pack version 3.2.1343 or higher.

https://ks.wwpass.com/download/

NOTE: For Remote Desktop access, the WWPass Security Pack should be installed on Remote Desktop server only. End-user computers and thin clients do not need any additional software. If other WWPass functionality is required on user terminal (VPN access, mail encryption etc) install SecurityPack on end-user computer too.

1.2 Security Policy configuration

Run secpol.msc:

C:\Windows\System32\secpol.msc:

Set up the following parameters:

Security Settings > Local Policies > Security Options

    Interactive Logon: Display user information when the session is locked: Do not display user information
    Interactive Logon: Do not display last user name: Enabled
    Interactive Logon: Require Smart Card: Enabled

1.3 Hide other credential providers:

See e.g. http://softwarefileprotection.com/how-to-hide-credential-providers-from-the-windows-logon-user-interface

Open Group Policy editor

C:\Windows\System32\gpedit.msc

and follow the tree to

Computer Configuration > Administrative Templates > System > Logon
    Exclude Credential Providers

When selecting "Exclude Credential Providers", the following dialog is shown:

hide_credential_provider2

Click on "Enabled" radio button and enter the comma-separated CLSID's to exclude multiple credential providers. In most cases only Password Provider will be excluded. Here are corresponding CLSIDs:

{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} - Windows Server 2012 and Windows 8.1 Password Provider
{6f45dc1e-5384-457a-bc13-2cd81b0d28ed} - Windows Server 2008 and Windows 7 Password Provider

NOTE: curly braces should be included (see the screenshot above)

To determine particular CLSID, consult the list of Credential Providers in Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentiction\Credential Providers

1.4 Smart Card Removal Behavior

The Smart Card Removal Behavior lets you control what happens when you disconnect your PassKey or PassKey for Mobile after using it to log into a Windows Active Directory domain. You can choose to disconnect from a remote session or automatically log out of Windows, or remain logged into Windows when your PassKey or PassKey for Mobile is disconnected.

Disconnecting remote session and logging out are the most secure behaviors in a work setting when you plan to leave your computer unattended.

Microsoft Windows provides a native solution to handle card removal behavior. It works best for smart card authentication on local computers, but often fails on Remote Desktop/Terminal Servers. Due to time delays this native setting may cause false card removal detection and involuntary session interrupts.

WWPass solves this problem with an improved card presence detection algorithm. If you experience problems with the Microsoft native service, use WWPass removal behavior control.

1.4.1 Smart card removal behavior - Desktop configuration

NOTE: when using WWPass Dashboard setting other than "No Action", configure Windows Smart card removal behavior to "No Action"

To use the Smartcard removal feature, open Desktop Window and select "Advanced" tab

dashboard_advanced

Select from the list under Smartcard removal behavior:

The following three options are to be set on remote computer dashboard:

The better way to disconnect remote session and to remove Remote Client Window is to configure local computer dashboard with the following setting:

1.4.2 Smart card removal behavior - Windows Terminal Server configuration

NOTE: when using Windows Smart card removal behavior, set WWPass Dashboard to "No Action"

Two steps are required - see e.g. https://www.farbeyondcode.com/How-to-lock-Windows-immediately-upon-smart-card-removal-5-2999.html

  1. C:\Windows\System32\secpol.msc:

    Security Settings > Local Policies > Security Options

    Interactive Logon: Smart Card removal behavior: Disconnect if a remote Remote Desktop Services session
    
  2. Configure and start Smart Card Removal Policy service.

    Control Panel > System and Security > Administrative Tools > Services

    Smart Card Removal Policy: Automatic (Delayed Start)
    

    NOTE1: It is important to set Automatic (Delayed Start), not just "Automatic"

    NOTE2: The service is not active by default, press on a Start the service link in the upper left corner

Automatic Delayed

2. RDP client configuration

RDP clients redirect smart card readers to Remote Desktops, so it is not necessary to install "WWPass Security Pack" on user computer or thin client terminal.

In order to improve user experience it is recommended to disable NLA (Network Level Authentication) on client side.

2.1 Windows Remote Desktop Connection

Compatibility: Windows 7 and 8.1

Create RDP configuration file:

To create configuration file, start "Remote Desktop Connection" (mstsc.exe), fill in Remote Desktop server IP, press on Show Options button and set other required parameters.
Press on "Save As" button and write the file.

mstsc

To disable NLA, add the following line to the RDP configuration file:

enablecredsspsupport:i:0

(see e.g. http://serverfault.com/questions/392759/remote-desktop-without-nla )

Good practice might be to prepare and distribute this RDP configuration file.

When stored on desktop, the file starts preconfigured RDP connection:

rdp_config_icons

2.2 HP Thin Client t520 with ThinPro 5.2 Operating System

HP ThinPro is based on Debian/Ubuntu Linux distro and runs its own compilation of FreeRDP as RDP client. Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.

Create new RDP Connection

Open RDP Connection Manager dialog

Network tab:

define

and check Allow Smart Card

Advanced tab, "Login dialog Options":

check

uncheck

HINT: in case Remote Desktop background is corrupted on HP display, go to Connection Manager > Experience and uncheck "Desktop backgroud"

Customize display background:

  1. Using ssh (scp), copy the desired image to the /writable/misc/desktop directory
  2. In Control Panel, select Setup > Background Manager
  3. Go to root > background > desktop > ImagePath
  4. Set desired image file

Switch to Zero Client mode:

Open Control Panel, select Setup > Customization Center and press a button at the top of the dialog

2.3 Linux rdesktop

http://www.rdesktop.org/, version 1.8.3; tested on Ubuntu 14.04

compile without libcredssp

run:

./rdesktop -r scard <rdp_server> -g 90%

2.4 Linux FreeRDP

http://www.freerdp.com/, version 1.2.4; tested on Ubuntu 14.04

Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.

compile:

cmake -DWITH_PCSC=ON -DWITH_SSE2=ON

run:

./xfreerdp -sec-nla /smartcard /v:<rdp_server> /size:90%

3. How to re-enable username/password access

In case you need to enable login/password again, do not forget the following settings:

Run secpol.msc:

C:\Windows\System32\secpol.msc:

Security Settings > Local Policies > Security Options

    Interactive Logon: Require Smart Card: Disabled
    Interactive Logon: Smart Card removal behavior: No Action

Open Group Policy editor

C:\Windows\System32\gpedit.msc

and follow the tree to

Computer Configuration > Administrative Templates > System > Logon
    Exclude Credential Providers

Click on "Disabled" radio button in the "Exclude Credential Provider" dialog