![]() ![]() Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password. Remote Desktop Services and smart card sign-in The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. This PIN is sent by using a secure channel that the credential SSP has established. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit. ![]() Common Criteria compliance requires that applications not have direct access to the user's password or PIN.Ĭommon Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. RD Session Host server single sign-in experienceĪs a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.Ĭhanges to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context. The CryptoAPI processing is performed in the LSA (Lsass.exe). The authentication is performed by the LSA in session 0. In the remote session (labeled as "Client session"), the user runs net use /smartcard.Īrrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in. In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.Įnabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. A user is not able to establish a redirected smart card-based remote desktop connection. Using Fast User Switching or Remote Desktop Services. Smart card support is required to enable many Remote Desktop Services scenarios. ![]() ![]() Smart card redirection logic and WinSCard API are combined to support multiple redirected sessions into a single process. This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |