RDC and Custom Credential Providers

  • Article

RDC and Custom Credential Providers

 

 

Issue:

When you have your own custom credential provider (CP) for multifactor authentication (such as Biometric, password, Smartcard).

You do remote desktop connection (RDC) to connect to a client Vista machine where the client machine has installed this custom CP. The issue is that you have to login twice for a Remote session.

In nutshell, you will get double logon when authenticating via RDP and using custom credential provider. This behavior is by design. You will not get double logon when using the Microsoft built-in credential providers, i.e. password and smartcard.

Reason:

The terminal Services does not support remote authentication with arbitrary credential types. Only username/password or smart card credentials from the built-in Microsoft credential providers can be authenticated.

Before Microsoft introduced Network Level Authentication (NLA), any malicious user could attempt multiple connections to a terminal server, and each connection attempt would use up lots of resources on the server. This attack may potentially make server run out of resources. In such case users would not connect anymore. With NLA; it requires you to authenticate before big resources are used on the terminal server. Also NLA can’t handle third party CPs, thus if NLA is enabled then custom CPs cannot be used with NLA, this is again intended.

If the user connected with a non-Microsoft credential provider, then you will be prompted on the terminal server to enter credentials again (twice). If NLA is not enabled, then despite entering using an unsupported credential provider on the client prior to the connection, the user will still be connected. You will be left at the logon screen, where you can use any credential provider that is supported for local authentication. There’s no way to avoid the two authentications when using unsupported credential providers.

Having said that, if you have your own credential providers and you try to do a remote desktop connection to a Vista box (having this Credential provider) then you would need to log-in twice. This is an expected behavior and it is by design and there is no legitimate way to avoid it.

Sandeep Sharma

Windows SDK - Microsoft