Supported Operating Systems: Microsoft Windows Server 2008R2 and 2012R2
Install WWPass Security Pack version 3.2.1343 or higher.
Note: For Remote Desktop access, the WWPass Security Pack should be installed on Remote Desktop server only. End-user computers and thin clients do not need any additional software. If other WWPass functionality is required on user terminal (VPN access, mail encryption etc) install SecurityPack on end-user computer too.
Set up the following parameters:
Open Group Policy editor
and follow the tree to
When selecting "Exclude Credential Providers", the following dialog is shown:
Click on "Enabled" radio button and enter the comma-separated CLSID's to exclude multiple credential providers. In most cases only Password Provider will be excluded. Here are corresponding CLSIDs:
Note: curly braces should be included (see the screenshot above)
To determine particular CLSID, consult the list of Credential Providers in Registry:
The Smart Card Removal Behavior lets you control what happens when you disconnect your WWPass Key or WWPass Key for Mobile after using it to log into a Windows Active Directory domain. You can choose to disconnect from a remote session or automatically log out of Windows, or remain logged into Windows when your WWPass Key or WWPass Key for Mobile is disconnected.
Disconnecting remote session and logging out are the most secure behaviors in a work setting when you plan to leave your computer unattended.
Microsoft Windows provides a native solution to handle card removal behavior. It works best for smart card authentication on local computers, but often fails on Remote Desktop/Terminal Servers. Due to time delays this native setting may cause false card removal detection and involuntary session interrupts.
WWPass solves this problem with an improved card presence detection algorithm. If you experience problems with the Microsoft native service, use WWPass removal behavior control.
Note: when using WWPass Dashboard setting other than "No Action", configure Windows Smart card removal behavior to "No Action"
To use the Smartcard removal feature, open Desktop Window and select "Advanced" tab
Select from the list under Smartcard removal behavior:
- No Action - Select this if nothing should happen when you disconnect your WWPass Key or WWPass Key for Mobile from your Windows computer. You will remain logged into Windows.
The following three options are to be set on remote computer dashboard:
Disconnect - Select this to automatically disconnect from a session on a remote computer when you detach your WWPass Key or WWPass Key for Mobile from your Windows computer. Your current Windows session is preserved.
Force logoff - Select this to automatically log out of Windows when you disconnect your WWPass Key or WWPass Key for Mobile. Your current Windows session is closed. To log on again, you need to connect your WWPass Key or WWPass Key for Mobile to your computer and enter your access code.
The better way to disconnect remote session and to remove Remote Client Window is to configure local computer dashboard with the following setting:
- Disconnect Remote Session - Select this to automatically disconnect from a session on a remote computer when you detach your WWPass Key or WWPass Key for Mobile from your Windows computer. Your current Windows session is preserved. This setting actually stops all the instances of Remote Desktop Client.
Note: when using Windows Smart card removal behavior, set WWPass Dashboard to "No Action"
Two steps are required - see e.g. https://www.farbeyondcode.com/How-to-lock-Windows-immediately-upon-smart-card-removal-5-2999.html
Security Settings > Local Policies > Security Options
Interactive Logon: Smart Card removal behavior: Disconnect if a remote Remote Desktop Services session
Configure and start Smart Card Removal Policy service.
Control Panel > System and Security > Administrative Tools > Services
Smart Card Removal Policy: Automatic (Delayed Start)
Note 1: It is important to set Automatic (Delayed Start)_, not just "Automatic"
Note 2: The service is not active by default, press on a Start the service link in the upper left corner
RDP clients redirect smart card readers to Remote Desktops, so it is not necessary to install "WWPass Security Pack" on user computer or thin client terminal.
In order to improve user experience it is recommended to disable NLA (Network Level Authentication) on client side.
Compatibility: Windows 7 and 8.1
Create RDP configuration file:
To create configuration file, start "Remote Desktop Connection" (mstsc.exe), fill in Remote Desktop server IP, press on Show Options button and set other required parameters. Press on "Save As" button and write the file.
To disable NLA, add the following line to the RDP configuration file:
Good practice might be to prepare and distribute this RDP configuration file.
When stored on desktop, the file starts preconfigured RDP connection:
HP ThinPro is based on Debian/Ubuntu Linux distro and runs its own compilation of FreeRDP as RDP client. Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.
Open RDP Connection Manager dialog
- Connection name
- RDP server name or address
Allow Smart Card
Advanced tab, "Login dialog Options":
- "Remember me"
- "Show username field"
- "Show password field"
- "Show domain field"
HINT: in case Remote Desktop background is corrupted on HP display, go to Connection Manager > Experience and uncheck "Desktop backgroud"
- Using ssh (scp), copy the desired image to the /writable/misc/desktop directory
- In Control Panel, select Setup > Background Manager
- Go to root > background > desktop > ImagePath
- Set desired image file
Open Control Panel, select Setup > Customization Center and press a button at the top of the dialog
http://www.rdesktop.org/, version 1.8.3; tested on Ubuntu 14.04
compile without libcredssp
./rdesktop -r scard <rdp_server> -g 90%
http://www.freerdp.com/, version 1.2.4; tested on Ubuntu 14.04
Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.
cmake -DWITH_PCSC=ON -DWITH_SSE2=ON
./xfreerdp -sec-nla /smartcard /v:<rdp_server> /size:90%
In case you need to enable login/password again, do not forget the following settings:
Open Group Policy editor
and follow the tree to
Click on "Disabled" radio button in the "Exclude Credential Provider" dialog