Forum / Remote Desktop Manager Mac - Feature Request

Smart Card Authentication Support

  • Create an Issue
  • Cancel

Hello!

I realize that Remote Desktop Manager supports smart card pass-thru, but I'm hoping to find an RDP client for Mac OS X that supports native smart card authentication to a Windows host via RDP. Is this a feature that can be considered for implementation by the devs?

Thanks in advance!

- Ethan


Edit: Forgot to mention that I'm using a Yubikey 4: https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4

Thanks again!

Clock6 mths


Hi Ethan,

I'll see if we can setup an RDP server with a Yubikey smart card. This will need investigation though, I'm not entirely sure of the feasibility of it.

Best regards,

Xavier Fortin

signaturesignature

Clock6 mths


Hi Ethan,

We've just had a small conversation about this in the office. Smart card supports in FreeRDP is something quite hard to develop and maintains. That being said, if you could provide a bit more information on the setup of your RDP server, this could help us in the long run.

Such as the server version? Does it enforce Kerberos? Do you connect with a domain user? Do you connect through and RD Gateway? All information pertaining to the smart card setup on the server (such as any middleware)? Or any other information you'd deem relevant.


Best regards,

Xavier Fortin

signaturesignature

Clock6 mths

Hi Xavier,

Sure! Happy to provide some additional details.

I'm remotely connecting to a Server 2016 machine, although I'll probably be moving to Server 2019 in the near future - I'm not currently utilizing the Windows Server semi-annual channel. Kerberos is enforced, and I'm not connecting via an RD Gateway, or using any middleware for the implementation. The goal is to enable the "Smart card required for interactive login" setting for this particular AD user account.

The smart card contains a certificate that's used for PIV authentication (Certificate Slot 9a) and associated with a domain user account - you can find more details on Yubico's certificate implementation for the Yubikey 4 here: https://developers.yubico.com/PIV/Introduction/Certificate_slots.html

I do have a work-around for the time being, but it's a bit cumbersome and it would definitely be helpful to have the direct smart card authentication.

Thanks for the prompt reply!

Clock6 mths


Hi Ethan,

Can you tell me what kind of configuration is required on the remote desktop server to get smartcard authentication to work? It's been years since I last tried it, but back then additional software from the smartcard vendor (the middleware) had to be installed on the remote desktop server. This piece of software was the one doing the smartcard API calls from the server to the client with the actual smartcard (the yubikey in your case).

The fact that the RD Gateway is not used simplifies things, but we would have to check the current status of Kerberos support.

As for configuring the smartcards, I assume your flow was to configure the Enterprise CA role, generate a client certificate for your user, export the certificate from the certificate store and then use whatever tool yubikey provides to import it on the yubikey in certificate slot 9a? That's how I remember it, feel free to point me to a different procedure.

Best regards,

Marc-André Moreau

signaturesignature

Clock6 mths

Hi!

I'll do my best to provide additional details from my understanding as the "not security engineer" in our organization!

By default, the server (VMWare ESXI 6.1 / Server 2016 Guest OS) uses a native smart card driver that allows authentication, but that sometimes gets touchy and requires the PIN to be keyed in twice when authenticating. Installing the Yubikey 4 mini driver (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/) will resolve the issue with the PIN prompting twice, but other than that, no middleware is required to allow the smart card auth, to the best of my knowledge.

Does that help? Let me know if you'd like to me inquire on some additional details with the fellow who did the configuration and implementation.

Thanks again!

Clock6 mths