Smartcard logon over Terminal Services ( RDP redirection )


In a recent post I outlined a number of ‘challenges’ to implementing smartcards.


 


I also asked about people who were hitting slow logons after implementing smartcards. Well I had a few responses as well as some interest in how RDP redirection works in general.


 


 


When a user logs on to a machine via smartcards there is a complex interaction between, the client, the terminal server, the domain controller and the CRL retrieval points.


 


Additional complexity may be added if they use an OCSP client\responder.


 


From a pure PKI perspective, the DC needs to validate and perform any necessary CRL retrievals for the smartcard certificate, and the client needs to mutually authenticate the Domain Controller certificate.


 


In addition, there are checks on specific certificates issued to the Active Directory as well as the underlying Kerberos authentication and account checks against the UPN of the user to the data contained in the certificate.


 


Redirection


 


When the client chooses to redirect the calls from the Terminal Server, it becomes much more complex.


 


At this point any calls that the CSP makes to the smartcard functions will take longer due to the roundtrip needed to the client ( however near or far that may be )


 


 This will introduce natural delay for those CSP’s which are not optimized for this scenario  ( i.e make many calls to the various smartcard functions in Winscard.dll.


 


 


 


 


 


Details on the call from the TS perspective


 


CSP calls the smartcard API’s in winscard.dll, winscard determines if the reader is remote. If it is remote the call is passed to scredir.dll which will hand off to the RDP driver in order to send it over to the client.


 


 


Details on the call from the Client perspective


 


MSTSC.EXE  receives the inbound call from the Server side. It hands this call to Winscard.dll on the client and from there determines it needs to talk to the actual smartcard device.


 


In order to talk to the smartcard device, it will utilize a private communications channel to scardsvr.exe


 


Scardsvr.exe will coordinate the communications to the smartcard driver via IOCTLS sent via DeviceIoControl. Once the HW device handles the call via the driver from the vendor – it will send its response back up the stack and over the same network connections previously used.


 


 


Now that the background is laid, here is how the problem surfaced. Users logon at home or from a hotel ( let’s say Washington )  VPN to the nearest point – let’s say Denver, and then try to TS to a client in Florida.


 


You can imagine some delay would be introduced, however it was taking 4-7 minutes to logon ( and sometimes it would simply never logon ) when they used smartcards to TS to the Florida server  in this scenario.


 


There is no logging in this area so we had to instrument scredir.dll a bit in order to determine where the latency was. We did this on the server side, so we knew when the client hit the server and the server needed to ask for data from the client.


 


It turned out that there were large delays, so we turned to the client.  From the client’s perspective, we  finally narrowed it down to a delay in the CSP. We contacted the CSP vendor and when they got a fix, logon times went to about 10 seconds!


 


With this story , and my last post – you can see that it is imperative that you do your homework and TEST TEST TEST before choosing a vendor.


 


Spatdsg


 


 

Comments (46)

  1. kert says:

    Hey, i see you are pretty knowledgeable in  MS smart card topics, and win security internals in general.

    Im dealing with the same issues pretty often myself, i have written a CSP for a national smart card, Vista cardmodule alpha rev for the same card, done a "fake" winlogon-capable CSP, custom full GINA implementation and various related bits and pieces.

    There is one thing that is very poorly documented, the automatic SC certificate propagation ( used to be SCCertProp winlogon notififaction package and is now a separate service in Vista ) .. is there any docs on how to configure that ? My main concern is to remove the certs when smart card is removed.

    I also have tried to get my Winlogon notification DLL, ISensLogon inherited class and WMI events to get notifications on smart card removal, but none of them have worked for SC events, i can catch other events like logon and stuff fine.

    So it would be nice if anyone could shed some light on this, asking in newsgroups has resulted in nothing so far.

    Just as a reference, one real funny thing that i have tried is to get Win2K Smartcard PKI to interoperate with Heimdal Kerberos Domain ( using custommade certificates and all that ) so that Win2K desktop machine could log onto Heimdal domain, but we were ultimately stalled on an issue where some bit or piece of protocol simply had a byte or two wrong, and it didnt work out.

  2. SpatDSG says:

    For some related policiesconfig around the new CertPropSvc in Vista – see Shivaram’s blog here: http://blogs.msdn.com/shivaram/archive/2007/02/26/smart-card-related-group-policy-settings-in-vista.aspx

    However, it doesnt take care of the removal events to cleanup the SC certs (it does roots "Clean up certificates on smart card removal" )

    You can also use SCardGetStatusChange to do any store cleanup if you wanted to.

    spat

  3. kert says:

    "You can also use SCardGetStatusChange"

    Yes i know, but SCardGetStatusChange needs to have a separate thread running .. under which process ?

    I could launch it from a winlogon notification package, but these are deprecated under Vista.

    Also SCardGetStatusChange has one drawback: it does not take a synchronization parameter that would cancel the wait ( either a signal, mutex, semaphore or something ) so i have two options:

    1) do SCardGetStatusChange with a short timeout and loop while checking for quit condition

    2) kill the thread forcibly when quit is needed

    neither is a very clean approach. i utilize the 1st in a CSP that i have developed and it results in registry access in each loop .. ie unneeded system load.

  4. Dan Griffin says:

    Best way to handle this would probably be via an NT service, which could get session change notifications from the service control manager.  You’d have to spin up one thread per user session, due to the nature of SCardGetStatusChange.  

    Note that the proper way to cancel the GetStatusChange wait is via SCardCancel.

  5. It seems I do spend a fair bit of time with smartcards lately, but I have some other interesting posts

  6. Lalit says:

    How does WinScard determines if reader is remote or not? Could you please elborate on it.

    Thanks.

  7. SpatDSG says:

    this is really an internal implementation – what are your goals here?

    Perhaps we can address it more directly?

  8. Lalit says:

    Actually, I would like to understand how Winscard & scredir works.

    I did small test using Process Explorer, if smart card reader is available (no matter if remote or locally) and you open RDP client, RDP client load both dll’s i.e. WinScard.dll & Scredir.dll.

    Does this means that these two dll’s works independently? becuase if Winscard is actually detect if smartcard is remote and then calls scredir.dll then why Scredir.dll is loaded even if smartcard is local.

  9. SpatDSG says:

    They work together ( in XP2k3 ) in Vista they were merged into winscard.dll if I recall.

    Anyway – we basically query the current session to see if it is a remote session – if it is, we then set some flags in the SCARDCONTEXT which is querieed when the SCard function is called – like SCardReconnect — it will then redirect the call thru scredir if the remote flag was set in the context.

  10. Kalle says:

    Hi, is it possible to access a smartcard reader that is physically connected to a 2K3 server within a RDP session? If I disable smartcard redirection within the client I expected, that I can access the smartcard readers connected to the server, but instead a call to SCardEstablishContext fails.

  11. SpatDSG says:

    I do not believe this is possible

  12. Sid B says:

    Hi

    I am so happy to have found this blog…enormous help in understanding SC with TS.

    I am a newbie to this so please need some help.

    I have a 2K3 server with Terminal Server and about to load Gemalto drivers on it. My clients are however Win 2000 (yes!! – may move to Vista later this year). The company has deployed successfully SmartCard and now wants that when users who access TS need to have their SmartCard redirection. Any help or tips.? Another engineer who worked on this tested but said it took a long long time to authenticate and so gave up effort. But this is being revisted and The version of Reflex 2.0 PCMCIA. Are there any prior art on specific CSP related issues that could cause this time delays?

    thanks in advance.

    /Sid

  13. Novice says:

    Hi,

    Is it possible to detect whether the user has logged in through a smart card or not,within a DLL which is meant for capturing the logon notifications , through the ISensLogon implementation route?

  14. SpatDSG says:

    First to Sid..

    The best I can give you is to test yourself, and make sure that you are on the latest CSP version from your vendor. Legally, I dont think I can officially recommend a specific vendor, as it can come back as "microsoft said use X left us out" or some such nonsense.

    I’m sorry..

    spat

  15. rob Crellin says:

    I have a VDI  issue reproducable were u can log on to a Remote desktop session to XP with a smart card and remove it and the session locks etc as many times as you like, if you log off and log back on u can again log on with a smart card but the smart card removal isnt recognised. If you reboot the VDI XP session the same behaviour repeats. this happens with rdp 5 and 6.

  16. Smitty says:

    what smartcard vendor are you using ?

  17. rob crellin says:

    This problem is the same with GemPlus and Active Identity and regardless of the type of terminal you use, its the same on Pc’s to VDI or Wyse and HP terminals to VDI, after log off and log back on the card removal is nor recognised, even though the card management software sees the card and see  it being removed

  18. Lalit Kaushal says:

    Hi Spat, what are changes done for Smartcard in terminal server Windows 2008? and how it works with W2K8. Thanks.

  19. SpatDSG says:

    not a lot new that I can think of – maybe if you are looking for something specific I can help?

    We got rid of scredir.dll ..

    We move to rpc calls for smartcard service calls.

    Specific to TS and smartcards?

  20. Marc says:

    Hi Spat

    We want to authenticate on terminal servers (in HQ) using smartcard from a branch office which is connected by a 4Mbps WAN link with a network latency of 250ms. Log on process lasts up 4 minutes. We’re using WinXpSp2, w2k3 terminal server (rdp/ica) with Axalto v2c cards and ActivIdentity CSP. Do you have any hints to speed up authentication?

    thanks in advance

    cheers

    Marc

  21. Lalit Kaushal says:

    Hi Spat, Thanks for the info. I am looking for changes specific to Smartcard on TS?

  22. D. Krebs says:

    This is for Rob Crellin,

      Did you get any resolution to your issue where the smartcard removal is not recognized.  We are having teh exact same issue using terminal connection to VDI using smartcards.

    Thanks

  23. Rick says:

    Hi, I have a problem with a Vista client with a smartcard reader that’s needed to authenticate to an application that can only be accessed via RDP. The RDP logon is plain Windows user authentication. Then the user starts the application but after the PIN code is typed in, we get the message "card is not in the reader".

    The smartcard option is switched on on the localrsources of the client side. Thanks in advance!

  24. SpatDSG says:

    Here is an easy test.. when you RDP to the server , and the smartcard is in the reader, does a PIN prompt for logon come up?

    I realize you use standard userpassword to logon – but if the PIN prompt never even shows on the logon page, there is a good chance that the driver or something isnt installed right.

    spat

  25. Leon says:

    Spat,

    When we RDP to the server we get the "The card supplied requires drivers that are not present on this system. Please try another card" error.

    We’re using a Gemalto card. Do I need to install the third part software on the server or can I download the Base CSP (KB909520)?

    Thanks, Leon

  26. SpatDSG says:

    Depends on the cards- if the ISV wrote a card module – then yest it needs to be installed. Sounds like a possible driver issue – does it all work OK locally?

  27. Peter L says:

    I found this URL, what I am trying to do which I don’t think will be possible is to have a PKCS11 Library over a RDP session.  For various reasons we login via RDP to a W2K3 terminal server with username and password.  Then I would like to consume on the Terminal Server the PKCS11 Token that is inserted into my desktop machine.  I have a working PKCS DLL and can interface into it on the local machine, but what "generic" DLL would I use on the terminal server that would then proxy those requests onto my local workstation.

    Don’t think this can be done somehow.  The scredir and wincard come up as a non-pkcs11 library.

  28. skybird says:

    Hello, I’m skybird and I need your help.

    I develped a program, it is client-service model. The service monitors and accessed the smart card and client communicates with the service. It is perfectly running on the local machine. But when I install it in server and RDP to server from client, the problems show.

    The smart card is in client and my program is in server. The service can not monitor and access the smart card in client. Would you please help me ?

  29. Håkan Eriksson says:

    Hello,

    I have a USB CCID combined reader that holds both a smart card reader and a biometric fingerprint sensor. The biometric device is accessed via SCardControl. On Vista(i.e. server side running vista, client can be vista or xp) the MS usbccid.sys driver is used and I can use both smartcard and fingerprint in a remote session(either using RDP or ICA/Citrix, both are ok).

    However, on XP (local session) the version of usbccid.sys(5.2.3790.2444) was not good enough (could not access bio-part via SCardControl) and our company developed its own ccid-driver.

    Now, when trying to use our reader in a remote session where the server is running XP I get a problem. I can either access the smart card funtionality (when reader is ‘smart card redirected’) or the biometric functionality  (when reader is USB redirected(3rd part product from FabulaTech in my RDP-session, and build-in usb-redirection in ICA) but not both at the same time.

    My guess is that problem origins from redirection and driver usage. Been surfing around a bit to understand how things work togeather but don’t have 100% clear picture. Is there any hint you can give on this problem?

    Regards

    Håkan Eriksson

  30. SpatDSG says:

    Håkan

    Wow – not sure where to start on this one. The client is XP – what is the third party product you mention for USB redirection? It sounds like it is not standard scredir redirection is this correct?

  31. Håkan says:

    Hi Spat,

    The third party product is this one: http://www.fabulatech.com/usb-for-remote-desktop.html

    I don’t know how it’s implemented but it seems that once I allow it to redirect my USB-reader the local system does not recognize that I have a smart card reader plugged in anymore. So, as you guess, scredir is probably not involved.

    However, when using the standard scredir redirection – do you know if redirection of SCardControl calls should work?

    Thanx

    /Håkan

  32. Paul Tarricone says:

    I’m trying to figure out how Windows logs bad PIN entries and Card lockout entries. I need to be able to log the username of those users who attempt to logon with bad PINs or the username of a user who locks out his smartcard due to multiple bad PINs.  I have ActivClient with Windows 2008 TS.  I get an event 4673 when the user tries to logon but uses a bad PIN.  THe details of the event don’t provide me the user name.  Is there a way to configure my system get this info?

  33. SpatDSG says:

    I don’t believe so – unless ActiveClient has a method. But think of it like this – the cert is simply using a PIN for private key access, the logon process needs that before we can even get to a logon event.

  34. Nguyen Trung Thanh says:

    I am getting an issue with Smart card redirection via Terminal Session:

    Below is what I tried:

    1. Client: Windows 7 (RC) or Windows Server 2003 SP2

      S/C with SafeSign IdentityClient

    2. Server: Windows server 2008 Termial Services.

    Certificate in the Smart card is in the IE certificate store(IE in the terminal session).

    The IdentityClient can browse certificates in the S/C

    But, certificate is not in the MY store of the terminal session.

    I do not use smart card logon. Just want to redirect it to the terminal session. (it works if the server is a windows server 2003 system).

  35. SpatDSG says:

    So you want the smartcard certificate to be propagated to the terminal server store? Is the certificate propagation service running? Some smart cards have their own propagation methods as well – does yours?

    spat

  36. Arwan says:

    dear all.

    i’m deploying Virtual Desktop Infracture in my customer, we use APP-V to push the application to VDI. The case come, the application need to be authenticate with Finger Print (Acer Finger Print), when the thin client pc RDP to the VDI, the application cannot detect the finger print authentication… FYI we user RDP version 6.0.

    any suggest?

    thanks, and best Regards,

    Arwan

  37. Wietze Strik says:

    I got the same message when I loggenon with TS. Some users worked fine. I fixed the problem by deleting the GTB2WIN.INI file.

    Hope it helps.

    Best regards, Wietze

  38. Wietze Strik says:

    Oops, forgot to mention that my problem was with Fortis MoneyManager, and the fix only works for this program.

  39. BJ says:

    Hi Steve,

    I know there haven’t been many updates to this page lately, but hopefully people are still reading.

    I am seeing a weird issue with smart cards over Citrix/TS on Windows 2008. The servers are 2008 SP2 64-bit with XenApp 5. The clients are custom-built thin clients with XP SP3 and integrated EZUSB smart card readers.

    Due to restrictions beyond my control, I’m forced to use the Program Neighborhood to login (as opposed to PNAgent, Web interface, or something more scalable). We’re logging into a desktop.

    Most of the time, this works fine – the Windows login screen on the XenApp server pops up, the user clicks the "Insert smart card" icon, puts in his PIN, and logs in. However, sometimes the "Insert smart card" icon doesn’t show up – only the "Other User" icon shows up (which allows them to login with username/password if they have one). Our users have to disconnect and reconnect, and usually the "Insert smart card" icon comes back.

    Has anyone ever seen this behavior in TS? It’s as if, on some logins, it doesn’t detect the fact that the client has a smart card reader. I’m at a loss how to best troubleshoot this issue and was hoping someone here might be able to suggest something.

    Also, is there any way to get rid of the "Other User" icon when users login via Citrix/TS so that it defaults to the "Insert smart card" icon?

    Thanks!

    BJ

  40. Jason says:

    I have the same issue as BJ.  Smartcard randomly disappears.  Also need to remove "Other User" icon.

  41. SpatDSG says:

    I'm not too familiar with the Citrix side of things – I assume they still use ICA? Does this happen at all with the standard RDP redirection? I know it is random so this nay be hard to test. Unfortunately there is no logging in these components that I am aware of.

  42. Vasyl says:

    Hi Steve, thanks for your informative post!

    I have some question regarding smart card support over Terminal Services hope you could help me.

    Now i'm working at RDP client application(like mstsc) that should communicate with Windows Terminal Server over RDP protocol and stuck with support of smart card removal functionality.

    I am interesting in SCardGetStatusChange client-side implementation. The project is written in Java so it cann't use standard SCardGetStatusChange method from Winscard.dll (JNI not allowed) so some own client-side implementation should be created.

    Looks like there are several rules of processing GetStatusChange requests that were passed over RDP Smart card redirection channel  (e.g. for some requests responses are sent right away, another ones should be sent after smart card insertionejection)

    So, what i'm asking you could you please point me to some specification ([MS-RDPESC] doesn't specify this) that could explain how correctly handle such requests?

    Thanks in advance!

  43. Hugo says:

    Hi Jason and BJ,

    Did you find a solution for the not visable icon sometimes?

    Thank you!

  44. Rob says:

    So.. how did you get your Smart card logon down to 10 seconds?  Ours takes 2 minutes sometimes.

  45. xin says:

    will SCardListCards somehow call SCardListReaders in itself?

    In a RDP session, traces indicate that SCardListCards sometimes calls into SCardListReaders, and it specifies the hContext as 0xCD00000100000000(on a 64bit machine), even this context was never established or used by any previous SCard calls. This makes our code fail.

    Can anyone confirm my observation? Does the hContext value 0xCD00000100000000 have a special meaning?