Smartcard logon over Terminal Services ( RDP redirection )

In a recent post I outlined a number of ‘challenges’ to implementing smartcards.

I also asked about people who were hitting slow logons after implementing smartcards. Well I had a few responses as well as some interest in how RDP redirection works in general.

When a user logs on to a machine via smartcards there is a complex interaction between, the client, the terminal server, the domain controller and the CRL retrieval points.

Additional complexity may be added if they use an OCSP client\responder.

From a pure PKI perspective, the DC needs to validate and perform any necessary CRL retrievals for the smartcard certificate, and the client needs to mutually authenticate the Domain Controller certificate.

In addition, there are checks on specific certificates issued to the Active Directory as well as the underlying Kerberos authentication and account checks against the UPN of the user to the data contained in the certificate.

Redirection

When the client chooses to redirect the calls from the Terminal Server, it becomes much more complex.

At this point any calls that the CSP makes to the smartcard functions will take longer due to the roundtrip needed to the client ( however near or far that may be )

 This will introduce natural delay for those CSP’s which are not optimized for this scenario ( i.e make many calls to the various smartcard functions in Winscard.dll.

Details on the call from the TS perspective

CSP calls the smartcard API’s in winscard.dll, winscard determines if the reader is remote. If it is remote the call is passed to scredir.dll which will hand off to the RDP driver in order to send it over to the client.

Details on the call from the Client perspective

MSTSC.EXE receives the inbound call from the Server side. It hands this call to Winscard.dll on the client and from there determines it needs to talk to the actual smartcard device.

In order to talk to the smartcard device, it will utilize a private communications channel to scardsvr.exe

Scardsvr.exe will coordinate the communications to the smartcard driver via IOCTLS sent via DeviceIoControl. Once the HW device handles the call via the driver from the vendor – it will send its response back up the stack and over the same network connections previously used.

Now that the background is laid, here is how the problem surfaced. Users logon at home or from a hotel ( let’s say Washington ) VPN to the nearest point – let’s say Denver, and then try to TS to a client in Florida.

You can imagine some delay would be introduced, however it was taking 4-7 minutes to logon ( and sometimes it would simply never logon ) when they used smartcards to TS to the Florida server in this scenario.

There is no logging in this area so we had to instrument scredir.dll a bit in order to determine where the latency was. We did this on the server side, so we knew when the client hit the server and the server needed to ask for data from the client.

It turned out that there were large delays, so we turned to the client. From the client’s perspective, we finally narrowed it down to a delay in the CSP. We contacted the CSP vendor and when they got a fix, logon times went to about 10 seconds!

With this story , and my last post – you can see that it is imperative that you do your homework and TEST TEST TEST before choosing a vendor.

Spatdsg

Comments

• Anonymous
  April 05, 2007
  The comment has been removed

• Anonymous
  April 07, 2007
  For some related policiesconfig around the new CertPropSvc in Vista - see Shivaram's blog here: http://blogs.msdn.com/shivaram/archive/2007/02/26/smart-card-related-group-policy-settings-in-vista.aspx However, it doesnt take care of the removal events to cleanup the SC certs (it does roots "Clean up certificates on smart card removal" ) You can also use SCardGetStatusChange to do any store cleanup if you wanted to. spat

• Anonymous
  April 08, 2007
  https://msdn2.microsoft.com/en-us/library/ms801382.aspx IOCTL_SMARTCARD_IS_PRESENT

• Anonymous
  April 11, 2007
  The comment has been removed

• Anonymous
  April 22, 2007
  Best way to handle this would probably be via an NT service, which could get session change notifications from the service control manager.  You'd have to spin up one thread per user session, due to the nature of SCardGetStatusChange.   Note that the proper way to cancel the GetStatusChange wait is via SCardCancel.

• Anonymous
  July 10, 2007
  It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts

• Anonymous
  December 19, 2007
  How does WinScard determines if reader is remote or not? Could you please elborate on it. Thanks.

• Anonymous
  January 04, 2008
  this is really an internal implementation - what are your goals here? Perhaps we can address it more directly?

• Anonymous
  January 08, 2008
  Actually, I would like to understand how Winscard & scredir works. I did small test using Process Explorer, if smart card reader is available (no matter if remote or locally) and you open RDP client, RDP client load both dll's i.e. WinScard.dll & Scredir.dll. Does this means that these two dll's works independently? becuase if Winscard is actually detect if smartcard is remote and then calls scredir.dll then why Scredir.dll is loaded even if smartcard is local.

• Anonymous
  January 09, 2008
  They work together ( in XP2k3 ) in Vista they were merged into winscard.dll if I recall. Anyway - we basically query the current session to see if it is a remote session - if it is, we then set some flags in the SCARDCONTEXT which is querieed when the SCard function is called - like SCardReconnect -- it will then redirect the call thru scredir if the remote flag was set in the context.

• Anonymous
  March 26, 2008
  Hi, is it possible to access a smartcard reader that is physically connected to a 2K3 server within a RDP session? If I disable smartcard redirection within the client I expected, that I can access the smartcard readers connected to the server, but instead a call to SCardEstablishContext fails.

• Anonymous
  March 31, 2008
  I do not believe this is possible

• Anonymous
  June 23, 2008
  Hi I am so happy to have found this blog...enormous help in understanding SC with TS. I am a newbie to this so please need some help. I have a 2K3 server with Terminal Server and about to load Gemalto drivers on it. My clients are however Win 2000 (yes!! - may move to Vista later this year). The company has deployed successfully SmartCard and now wants that when users who access TS need to have their SmartCard redirection. Any help or tips.? Another engineer who worked on this tested but said it took a long long time to authenticate and so gave up effort. But this is being revisted and The version of Reflex 2.0 PCMCIA. Are there any prior art on specific CSP related issues that could cause this time delays? thanks in advance. /Sid

• Anonymous
  June 24, 2008
  Hi, Is it possible to detect whether the user has logged in through a smart card or not,within a DLL which is meant for capturing the logon notifications , through the ISensLogon implementation route?

• Anonymous
  June 24, 2008
  First to Sid.. The best I can give you is to test yourself, and make sure that you are on the latest CSP version from your vendor. Legally, I dont think I can officially recommend a specific vendor, as it can come back as "microsoft said use X left us out" or some such nonsense. I'm sorry.. spat

• Anonymous
  July 07, 2008
  I have a VDI  issue reproducable were u can log on to a Remote desktop session to XP with a smart card and remove it and the session locks etc as many times as you like, if you log off and log back on u can again log on with a smart card but the smart card removal isnt recognised. If you reboot the VDI XP session the same behaviour repeats. this happens with rdp 5 and 6.

• Anonymous
  July 07, 2008
  what smartcard vendor are you using ?

• Anonymous
  July 07, 2008
  This problem is the same with GemPlus and Active Identity and regardless of the type of terminal you use, its the same on Pc's to VDI or Wyse and HP terminals to VDI, after log off and log back on the card removal is nor recognised, even though the card management software sees the card and see  it being removed

• Anonymous
  August 26, 2008
  Hi Spat, what are changes done for Smartcard in terminal server Windows 2008? and how it works with W2K8. Thanks.

• Anonymous
  August 27, 2008
  not a lot new that I can think of - maybe if you are looking for something specific I can help? We got rid of scredir.dll .. We move to rpc calls for smartcard service calls. Specific to TS and smartcards?

• Anonymous
  September 09, 2008
  Hi Spat We want to authenticate on terminal servers (in HQ) using smartcard from a branch office which is connected by a 4Mbps WAN link with a network latency of 250ms. Log on process lasts up 4 minutes. We're using WinXpSp2, w2k3 terminal server (rdp/ica) with Axalto v2c cards and ActivIdentity CSP. Do you have any hints to speed up authentication? thanks in advance cheers Marc

• Anonymous
  September 21, 2008
  Hi Spat, Thanks for the info. I am looking for changes specific to Smartcard on TS?

• Anonymous
  October 06, 2008
  This is for Rob Crellin,   Did you get any resolution to your issue where the smartcard removal is not recognized.  We are having teh exact same issue using terminal connection to VDI using smartcards. Thanks

• Anonymous
  October 21, 2008
  Hi, I have a problem with a Vista client with a smartcard reader that's needed to authenticate to an application that can only be accessed via RDP. The RDP logon is plain Windows user authentication. Then the user starts the application but after the PIN code is typed in, we get the message "card is not in the reader". The smartcard option is switched on on the localrsources of the client side. Thanks in advance!

• Anonymous
  October 21, 2008
  Here is an easy test.. when you RDP to the server , and the smartcard is in the reader, does a PIN prompt for logon come up? I realize you use standard userpassword to logon - but if the PIN prompt never even shows on the logon page, there is a good chance that the driver or something isnt installed right. spat

• Anonymous
  November 19, 2008
  Spat, When we RDP to the server we get the "The card supplied requires drivers that are not present on this system. Please try another card" error. We're using a Gemalto card. Do I need to install the third part software on the server or can I download the Base CSP (KB909520)? Thanks, Leon

• Anonymous
  November 22, 2008
  Depends on the cards- if the ISV wrote a card module - then yest it needs to be installed. Sounds like a possible driver issue - does it all work OK locally?

• Anonymous
  December 16, 2008
  I found this URL, what I am trying to do which I don't think will be possible is to have a PKCS11 Library over a RDP session.  For various reasons we login via RDP to a W2K3 terminal server with username and password.  Then I would like to consume on the Terminal Server the PKCS11 Token that is inserted into my desktop machine.  I have a working PKCS DLL and can interface into it on the local machine, but what "generic" DLL would I use on the terminal server that would then proxy those requests onto my local workstation. Don't think this can be done somehow.  The scredir and wincard come up as a non-pkcs11 library.

• Anonymous
  February 24, 2009
  Hello, I'm skybird and I need your help. I develped a program, it is client-service model. The service monitors and accessed the smart card and client communicates with the service. It is perfectly running on the local machine. But when I install it in server and RDP to server from client, the problems show. The smart card is in client and my program is in server. The service can not monitor and access the smart card in client. Would you please help me ?

• Anonymous
  April 08, 2009
  Hello, I have a USB CCID combined reader that holds both a smart card reader and a biometric fingerprint sensor. The biometric device is accessed via SCardControl. On Vista(i.e. server side running vista, client can be vista or xp) the MS usbccid.sys driver is used and I can use both smartcard and fingerprint in a remote session(either using RDP or ICA/Citrix, both are ok). However, on XP (local session) the version of usbccid.sys(5.2.3790.2444) was not good enough (could not access bio-part via SCardControl) and our company developed its own ccid-driver. Now, when trying to use our reader in a remote session where the server is running XP I get a problem. I can either access the smart card funtionality (when reader is 'smart card redirected') or the biometric functionality  (when reader is USB redirected(3rd part product from FabulaTech in my RDP-session, and build-in usb-redirection in ICA) but not both at the same time. My guess is that problem origins from redirection and driver usage. Been surfing around a bit to understand how things work togeather but don't have 100% clear picture. Is there any hint you can give on this problem? Regards Håkan Eriksson

• Anonymous
  April 28, 2009
  Håkan Wow - not sure where to start on this one. The client is XP - what is the third party product you mention for USB redirection? It sounds like it is not standard scredir redirection is this correct?

• Anonymous
  April 28, 2009
  Hi Spat, The third party product is this one: http://www.fabulatech.com/usb-for-remote-desktop.html I don't know how it's implemented but it seems that once I allow it to redirect my USB-reader the local system does not recognize that I have a smart card reader plugged in anymore. So, as you guess, scredir is probably not involved. However, when using the standard scredir redirection - do you know if redirection of SCardControl calls should work? Thanx /Håkan

• Anonymous
  June 24, 2009
  I'm trying to figure out how Windows logs bad PIN entries and Card lockout entries. I need to be able to log the username of those users who attempt to logon with bad PINs or the username of a user who locks out his smartcard due to multiple bad PINs.  I have ActivClient with Windows 2008 TS.  I get an event 4673 when the user tries to logon but uses a bad PIN.  THe details of the event don't provide me the user name.  Is there a way to configure my system get this info?

• Anonymous
  June 27, 2009
  I don't believe so - unless ActiveClient has a method. But think of it like this - the cert is simply using a PIN for private key access, the logon process needs that before we can even get to a logon event.

• Anonymous
  July 19, 2009
  I am getting an issue with Smart card redirection via Terminal Session: Below is what I tried:

1. Client: Windows 7 (RC) or Windows Server 2003 SP2   S/C with SafeSign IdentityClient
2. Server: Windows server 2008 Termial Services. Certificate in the Smart card is in the IE certificate store(IE in the terminal session). The IdentityClient can browse certificates in the S/C But, certificate is not in the MY store of the terminal session. I do not use smart card logon. Just want to redirect it to the terminal session. (it works if the server is a windows server 2003 system).

• Anonymous
  July 25, 2009
  So you want the smartcard certificate to be propagated to the terminal server store? Is the certificate propagation service running? Some smart cards have their own propagation methods as well - does yours? spat

• Anonymous
  August 18, 2009
  dear all. i'm deploying Virtual Desktop Infracture in my customer, we use APP-V to push the application to VDI. The case come, the application need to be authenticate with Finger Print (Acer Finger Print), when the thin client pc RDP to the VDI, the application cannot detect the finger print authentication... FYI we user RDP version 6.0. any suggest? thanks, and best Regards, Arwan

• Anonymous
  September 01, 2009
  I got the same message when I loggenon with TS. Some users worked fine. I fixed the problem by deleting the GTB2WIN.INI file. Hope it helps. Best regards, Wietze

• Anonymous
  September 01, 2009
  Oops, forgot to mention that my problem was with Fortis MoneyManager, and the fix only works for this program.

• Anonymous
  January 21, 2010
  The comment has been removed

• Anonymous
  July 30, 2010
  The comment has been removed

• Anonymous
  August 02, 2010
  The comment has been removed

• Anonymous
  August 04, 2010
  Hi Steve, thanks for your informative post! I have some question regarding smart card support over Terminal Services hope you could help me. Now i'm working at RDP client application(like mstsc) that should communicate with Windows Terminal Server over RDP protocol and stuck with support of smart card removal functionality. I am interesting in SCardGetStatusChange client-side implementation. The project is written in Java so it cann't use standard SCardGetStatusChange method from Winscard.dll (JNI not allowed) so some own client-side implementation should be created. Looks like there are several rules of processing GetStatusChange requests that were passed over RDP Smart card redirection channel  (e.g. for some requests responses are sent right away, another ones should be sent after smart card insertionejection) So, what i'm asking you could you please point me to some specification ([MS-RDPESC] doesn't specify this) that could explain how correctly handle such requests? Thanks in advance!

• Anonymous
  December 14, 2010
  The comment has been removed

• Anonymous
  August 30, 2011
  So.. how did you get your Smart card logon down to 10 seconds?  Ours takes 2 minutes sometimes.

• Anonymous
  February 24, 2013
  will SCardListCards somehow call SCardListReaders in itself? In a RDP session, traces indicate that SCardListCards sometimes calls into SCardListReaders, and it specifies the hContext as 0xCD00000100000000(on a 64bit machine), even this context was never established or used by any previous SCard calls. This makes our code fail. Can anyone confirm my observation? Does the hContext value 0xCD00000100000000 have a special meaning?