Windows RDP Smart Card logon

Setting up Windows Remote Desktop Smart Card logon#

1. Terminal server configuration#

Supported Operating Systems: Microsoft Windows Server 2008R2 and 2012R2

1.1. Install WWPass software#

Install WWPass Security Pack version 3.2.1343 or higher.

https://ks.wwpass.com/download/

Icon NoteNote: For Remote Desktop access, the WWPass Security Pack should be installed on Remote Desktop server only. End-user computers and thin clients do not need any additional software. If other WWPass functionality is required on user terminal (VPN access, mail encryption etc) install SecurityPack on end-user computer too.

1.2. Security Policy configuration#

Run secpol.msc:

C:\Windows\System32\secpol.msc:

Set up the following parameters:

Security Settings > Local Policies > Security Options
Interactive Logon: Display user information when the session is locked: Do not display user information
Interactive Logon: Do not display last user name: Enabled
Interactive Logon: Require Smart Card: Enabled

1.3. Hide other credential providers:#

See e.g. http://softwarefileprotection.com/how-to-hide-credential-providers-from-the-windows-logon-user-interface

Open Group Policy editor

C:\Windows\System32\gpedit.msc

and follow the tree to

Computer Configuration > Administrative Templates > System > Logon
Exclude Credential Providers

When selecting "Exclude Credential Providers", the following dialog is shown:

Exclude Credential Providers

Click on "Enabled" radio button and enter the comma-separated CLSID's to exclude multiple credential providers. In most cases only Password Provider will be excluded. Here are corresponding CLSIDs:

{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} - Windows Server 2012 and Windows 8.1 Password Provider
{6f45dc1e-5384-457a-bc13-2cd81b0d28ed} - Windows Server 2008 and Windows 7 Password Provider

Icon NoteNote: curly braces should be included (see the screenshot above)

To determine particular CLSID, consult the list of Credential Providers in Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentiction\Credential Providers

1.4. Smart Card Removal Behavior#

The Smart Card Removal Behavior lets you control what happens when you disconnect your WWPass Key or WWPass Key for Mobile after using it to log into a Windows Active Directory domain. You can choose to disconnect from a remote session or automatically log out of Windows, or remain logged into Windows when your WWPass Key or WWPass Key for Mobile is disconnected.

Disconnecting remote session and logging out are the most secure behaviors in a work setting when you plan to leave your computer unattended.

Microsoft Windows provides a native solution to handle card removal behavior. It works best for smart card authentication on local computers, but often fails on Remote Desktop/Terminal Servers. Due to time delays this native setting may cause false card removal detection and involuntary session interrupts.

WWPass solves this problem with an improved card presence detection algorithm. If you experience problems with the Microsoft native service, use WWPass removal behavior control.

1.4.1. Smart card removal behavior - Desktop configuration#

Icon NoteNote: when using WWPass Dashboard setting other than "No Action", configure Windows Smart card removal behavior to "No Action"

To use the Smartcard removal feature, open Desktop Window and select "Advanced" tab

WWPass Dashboard

Select from the list under Smartcard removal behavior:

  • No Action - Select this if nothing should happen when you disconnect your WWPass Key or WWPass Key for Mobile from your Windows computer. You will remain logged into Windows.

The following three options are to be set on remote computer dashboard:

  • Disconnect - Select this to automatically disconnect from a session on a remote computer when you detach your WWPass Key or WWPass Key for Mobile from your Windows computer. Your current Windows session is preserved.

  • Force logoff - Select this to automatically log out of Windows when you disconnect your WWPass Key or WWPass Key for Mobile. Your current Windows session is closed. To log on again, you need to connect your WWPass Key or WWPass Key for Mobile to your computer and enter your access code.

The better way to disconnect remote session and to remove Remote Client Window is to configure local computer dashboard with the following setting:

  • Disconnect Remote Session - Select this to automatically disconnect from a session on a remote computer when you detach your WWPass Key or WWPass Key for Mobile from your Windows computer. Your current Windows session is preserved. This setting actually stops all the instances of Remote Desktop Client.
1.4.2. Smart card removal behavior - Windows Terminal Server configuration#

Icon NoteNote: when using Windows Smart card removal behavior, set WWPass Dashboard to "No Action"

Two steps are required - see e.g. https://www.farbeyondcode.com/How-to-lock-Windows-immediately-upon-smart-card-removal-5-2999.html

  1. C:\Windows\System32\secpol.msc:

    Security Settings > Local Policies > Security Options

    Interactive Logon: Smart Card removal behavior: Disconnect if a remote Remote Desktop Services session

  2. Configure and start Smart Card Removal Policy service.

    Control Panel > System and Security > Administrative Tools > Services

    Smart Card Removal Policy: Automatic (Delayed Start)

Icon NoteNote 1: It is important to set Automatic (Delayed Start)_, not just "Automatic"

Icon NoteNote 2: The service is not active by default, press on a Start the service link in the upper left corner

Services

2. RDP client configuration#

RDP clients redirect smart card readers to Remote Desktops, so it is not necessary to install "WWPass Security Pack" on user computer or thin client terminal.

In order to improve user experience it is recommended to disable NLA (Network Level Authentication) on client side.

2.1. Windows Remote Desktop Connection#

Compatibility: Windows 7 and 8.1

Create RDP configuration file:

To create configuration file, start "Remote Desktop Connection" (mstsc.exe), fill in Remote Desktop server IP, press on Show Options button and set other required parameters. Press on "Save As" button and write the file.

Remote Desktop Connection

To disable NLA, add the following line to the RDP configuration file:

enablecredsspsupport:i:0

(see e.g. http://serverfault.com/questions/392759/remote-desktop-without-nla )

Good practice might be to prepare and distribute this RDP configuration file.

When stored on desktop, the file starts preconfigured RDP connection:

Desktop

2.2. HP Thin Client t520 with ThinPro 5.2 Operating System#

HP ThinPro is based on Debian/Ubuntu Linux distro and runs its own compilation of FreeRDP as RDP client. Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.

Create new RDP Connection#

Open RDP Connection Manager dialog

Network tab:

define

  • Connection name
  • RDP server name or address

and check Allow Smart Card

Advanced tab, "Login dialog Options":

check

  • "Remember me"

uncheck

  • "Show username field"
  • "Show password field"
  • "Show domain field"

HINT: in case Remote Desktop background is corrupted on HP display, go to Connection Manager > Experience and uncheck "Desktop backgroud"

Customize display background:#
  1. Using ssh (scp), copy the desired image to the /writable/misc/desktop directory
  2. In Control Panel, select Setup > Background Manager
  3. Go to root > background > desktop > ImagePath
  4. Set desired image file
Switch to Zero Client mode:#

Open Control Panel, select Setup > Customization Center and press a button at the top of the dialog

2.3. Linux rdesktop#

http://www.rdesktop.org/, version 1.8.3; tested on Ubuntu 14.04

compile without libcredssp

run:

./rdesktop -r scard <rdp_server> -g 90%

2.4. Linux FreeRDP#

http://www.freerdp.com/, version 1.2.4; tested on Ubuntu 14.04

Due to the known bug in FreeRDP, smart card functionality is not perfectly reliable. Sometimes it is necessary to disconnect a smart card and reconnect it back for certificates to be read properly.

compile:

cmake -DWITH_PCSC=ON -DWITH_SSE2=ON

run:

./xfreerdp -sec-nla /smartcard /v:<rdp_server> /size:90%

3. How to re-enable username/password access#

In case you need to enable login/password again, do not forget the following settings:

Run secpol.msc:

C:\Windows\System32\secpol.msc:

Security Settings > Local Policies > Security Options
Interactive Logon: Require Smart Card: Disabled
Interactive Logon: Smart Card removal behavior: No Action

Open Group Policy editor

C:\Windows\System32\gpedit.msc

and follow the tree to

Computer Configuration > Administrative Templates > System > Logon
Exclude Credential Providers

Click on "Disabled" radio button in the "Exclude Credential Provider" dialog