Windows RDP Smart Card logon
Setting up Windows Remote Desktop Smart Card logon
1. Terminal server configuration
Supported Operating Systems: Microsoft Windows Server 2008R2 and 2012R2
1.1. Install WWPass software
Install WWPass Security Pack version 3.2.1343 or higher.
note
For Remote Desktop access, the WWPass Security Pack should be installed on Remote Desktop server only. End-user computers and thin clients do not need any additional software. If other WWPass functionality is required on user terminal (VPN access, mail encryption etc) install SecurityPack on end-user computer too.
1.2. Security Policy configuration
Run secpol.msc:
C:\Windows\System32\secpol.msc:
Set up the following parameters:
Security Settings > Local Policies > Security Options
Interactive Logon: Display user information when the session is locked: Do not display user information
Interactive Logon: Do not display last user name: Enabled
Interactive Logon: Require Smart Card: Enabled
1.3. Hide other credential providers:
Open Group Policy editor
C:\Windows\System32\gpedit.msc
and follow the tree to
Computer Configuration > Administrative Templates > System > Logon
Exclude Credential Providers
When selecting "Exclude Credential Providers", the following dialog is shown:
Click on "Enabled" radio button and enter the comma-separated CLSID's to exclude multiple credential providers. In most cases only Password Provider will be excluded. Here are corresponding CLSIDs:
{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} - Windows Server 2012 and Windows 8.1 Password Provider
{6f45dc1e-5384-457a-bc13-2cd81b0d28ed} - Windows Server 2008 and Windows 7 Password Provider
note
curly braces should be included (see the screenshot above)
To determine particular CLSID, consult the list of Credential Providers in Registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentiction\Credential Providers
1.4. Smart Card Removal Behavior
The Smart Card Removal Behavior lets you control what happens when you disconnect your WWPass Key or WWPass Key for Mobile after using it to log into a Windows Active Directory domain. You can choose to disconnect from a remote session or automatically log out of Windows, or remain logged into Windows when your WWPass Key or WWPass Key for Mobile is disconnected.
Disconnecting remote session and logging out are the most secure behaviors in a work setting when you plan to leave your computer unattended.
Microsoft Windows provides a native solution to handle card removal behavior. It works best for smart card authentication on local computers, but often fails on Remote Desktop/Terminal Servers. Due to time delays this native setting may cause false card removal detection and involuntary session interrupts.
WWPass solves this problem with an improved card presence detection algorithm. If you experience problems with the Microsoft native service, use WWPass removal behavior control.
1.4.1. Smart card removal behavior - Desktop configuration
note
when using WWPass Dashboard setting other than "No Action", configure Windows Smart card removal behavior to "No Action"
To use the Smartcard removal feature, open Desktop Window and select "Advanced" tab
Select from the list under Smartcard removal behavior:
- No Action - Select this if nothing should happen when you disconnect your WWPass Key or WWPass Key for Mobile from your Windows computer. You will remain logged into Windows.
The following three options are to be set on remote computer dashboard:
Disconnect - Select this to automatically disconnect from a session on a remote computer when you detach your WWPass Key or WWPass Key for Mobile from your Windows computer. Your current Windows session is preserved.
Force logoff - Select this to automatically log out of Windows when you disconnect your WWPass Key or WWPass Key for Mobile. Your current Windows session is closed. To log on again, you need to connect your WWPass Key or WWPass Key for Mobile to your computer and enter your access code.
The better way to disconnect remote session and to remove Remote Client Window is to configure local computer dashboard with the following setting:
- Disconnect Remote Session - Select this to automatically disconnect from a session on a remote computer when you detach your WWPass Key or WWPass Key for Mobile from your Windows computer. Your current Windows session is preserved. This setting actually stops all the instances of Remote Desktop Client.
1.4.2. Smart card removal behavior - Windows Terminal Server configuration
note
when using Windows Smart card removal behavior, set WWPass Dashboard to "No Action"
Two steps are required - see e.g. https://www.farbeyondcode.com/How-to-lock-Windows-immediately-upon-smart-card-removal-5-2999.html
C:\Windows\System32\secpol.msc:Security Settings > Local Policies > Security Options
Interactive Logon: Smart Card removal behavior: Disconnect if a remote Remote Desktop Services sessionConfigure and start Smart Card Removal Policy service.
Control Panel > System and Security > Administrative Tools > Services
Smart Card Removal Policy: Automatic (Delayed Start)
note
It is important to set Automatic (Delayed Start), not just "Automatic"
note
The service is not active by default, press on a Start the service link in the upper left corner
2. RDP client configuration
RDP clients redirect smart card readers to Remote Desktops, so it is not necessary to install "WWPass Security Pack" on user computer or thin client terminal.
In order to improve user experience it is recommended to disable NLA (Network Level Authentication) on client side.
2.1. Windows Remote Desktop Connection
Compatibility: Windows 7 and 8.1
Create RDP configuration file:
To create configuration file, start "Remote Desktop Connection" (mstsc.exe), fill in Remote Desktop server IP, press on Show Options button and set other required parameters. Press on "Save As" button and write the file.
To disable NLA, add the following line to the RDP configuration file:
enablecredsspsupport:i:0
(see e.g. http://serverfault.com/questions/392759/remote-desktop-without-nla )
Good practice might be to prepare and distribute this RDP configuration file.
When stored on desktop, the file starts preconfigured RDP connection:
2.2. HP Thin Client t520 with ThinPro 5.2 Operating System
HP ThinPro is based on Debian/Ubuntu Linux distro and runs its own compilation of FreeRDP as RDP client. Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.
Create new RDP Connection
Open RDP Connection Manager dialog
Network tab:
define
- Connection name
- RDP server name or address
and check Allow Smart Card
Advanced tab, "Login dialog Options":
check
- "Remember me"
uncheck
- "Show username field"
- "Show password field"
- "Show domain field"
tip
in case Remote Desktop background is corrupted on HP display, go to Connection Manager > Experience and uncheck "Desktop backgroud"
Customize display background
- Using ssh (scp), copy the desired image to the /writable/misc/desktop directory
- In Control Panel, select Setup > Background Manager
- Go to root > background > desktop > ImagePath
- Set desired image file
Switch to Zero Client mode:
Open Control Panel, select Setup > Customization Center and press a button at the top of the dialog
2.3. Linux rdesktop
http://www.rdesktop.org/, version 1.8.3; tested on Ubuntu 14.04
compile without libcredssp
run:
./rdesktop -r scard <rdp_server> -g 90%
2.4. Linux FreeRDP
http://www.freerdp.com/, version 1.2.4; tested on Ubuntu 14.04
Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.
compile:
cmake -DWITH_PCSC=ON -DWITH_SSE2=ON
run:
./xfreerdp -sec-nla /smartcard /v:<rdp_server> /size:90%
3. How to re-enable username/password access
In case you need to enable login/password again, do not forget the following settings:
Run secpol.msc:
C:\Windows\System32\secpol.msc:
Security Settings > Local Policies > Security Options
Interactive Logon: Require Smart Card: Disabled
Interactive Logon: Smart Card removal behavior: No Action
Open Group Policy editor
C:\Windows\System32\gpedit.msc
and follow the tree to
Computer Configuration > Administrative Templates > System > Logon
Exclude Credential Providers
Click on "Disabled" radio button in the "Exclude Credential Provider" dialog.