Smart Card Authentication Support

Hi Ethan,

I'll see if we can setup an RDP server with a Yubikey smart card. This will need investigation though, I'm not entirely sure of the feasibility of it.

Best regards,

Hi Ethan,

We've just had a small conversation about this in the office. Smart card supports in FreeRDP is something quite hard to develop and maintains. That being said, if you could provide a bit more information on the setup of your RDP server, this could help us in the long run.

Such as the server version? Does it enforce Kerberos? Do you connect with a domain user? Do you connect through and RD Gateway? All information pertaining to the smart card setup on the server (such as any middleware)? Or any other information you'd deem relevant.


Best regards,

Hi Xavier,

Sure! Happy to provide some additional details.

I'm remotely connecting to a Server 2016 machine, although I'll probably be moving to Server 2019 in the near future - I'm not currently utilizing the Windows Server semi-annual channel. Kerberos is enforced, and I'm not connecting via an RD Gateway, or using any middleware for the implementation. The goal is to enable the "Smart card required for interactive login" setting for this particular AD user account.

The smart card contains a certificate that's used for PIV authentication (Certificate Slot 9a) and associated with a domain user account - you can find more details on Yubico's certificate implementation for the Yubikey 4 here: https://developers.yubico.com/PIV/Introduction/Certificate_slots.html

I do have a work-around for the time being, but it's a bit cumbersome and it would definitely be helpful to have the direct smart card authentication.



Thanks for the prompt reply!

Hi Ethan,

Can you tell me what kind of configuration is required on the remote desktop server to get smartcard authentication to work? It's been years since I last tried it, but back then additional software from the smartcard vendor (the middleware) had to be installed on the remote desktop server. This piece of software was the one doing the smartcard API calls from the server to the client with the actual smartcard (the yubikey in your case).

The fact that the RD Gateway is not used simplifies things, but we would have to check the current status of Kerberos support.

As for configuring the smartcards, I assume your flow was to configure the Enterprise CA role, generate a client certificate for your user, export the certificate from the certificate store and then use whatever tool yubikey provides to import it on the yubikey in certificate slot 9a? That's how I remember it, feel free to point me to a different procedure.

Best regards,

Hi!

I'll do my best to provide additional details from my understanding as the "not security engineer" in our organization!

By default, the server (VMWare ESXI 6.1 / Server 2016 Guest OS) uses a native smart card driver that allows authentication, but that sometimes gets touchy and requires the PIN to be keyed in twice when authenticating. Installing the Yubikey 4 mini driver (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/) will resolve the issue with the PIN prompting twice, but other than that, no middleware is required to allow the smart card auth, to the best of my knowledge.

Does that help? Let me know if you'd like to me inquire on some additional details with the fellow who did the configuration and implementation.



Thanks again!

Did you ever get this working? I am trying to get this exact thing setup. We use Yubikey 5's for PIV smartcard authentication. It works great in RDM on windows but on macOS I cant get it to even prompt for the smartcard and I don't see a place where you can tell it the reader number or the device name. Any new development on this?

Hi skyflyt86

I'll start with some background - RDP connectivity in RDM macOS is provided by FreeRDP (an open-source RDP implementation separate from Microsoft's own), so it doesn't support the full feature set of Microsoft's own client (and some stuff might work differently). Historically, smart card support in FreeRDP is somewhat flaky (the API is very platform-specific and hard to implement on non-Windows) - things often break and regress, and it's hard to reproduce and troubleshoot issues due to all the different setups out there.

That said, I do have a report currently of a user successfully logging in with their Yubikey which gives me confidence that this could work for you. Just to confirm - you want to use the Smartcard to login to the remote host? Or you're expecting the smartcard to be forwarded and usable inside the remote session?

It would be helpful to see a session log. After ensuring you have Smartcard redirection enabled in the connection settings:

• Enable session logs (Session logging can be enabled directly from the Help ? Session Logs window. There's a button in the title bar for it.)
• Reproduce the issue,
• Open the “Session Logs” (under “Help” in the ribbon).
• Locate the log corresponding to the session and send it to us

It's best if you can send the log file by PM or to support@devolutions.net.

The upcoming 2022.1.x release of RDM for macOS also includes a number of fixes for Smartcard support; so it's possible that whatever issue is occurring could already be fixed. But let's start with a session log and see if something is obviously wrong...

Thanks and kind regards,

Hi Richard Markiewicz,

I am trying to get smart card auth work from macOS Big Sur to Win 10 (domain client connection Win 2019 AD server). You mentioned "I do have a report currently of a user successfully logging in with their Yubikey".. Can you share more details on this, is it with some kind of workaround or using a different client ?

Thanks and Regards,
Prashanth

Hello prashups

I do recall this, but I can't seem to find the relevant ticket right now in our internal system. I don't think there was any special setup involved, and this was using an embedded RDP connection in RDM Mac.

If you're having trouble making this work, generally I'd respond with the same caveats and questions as in my prior post:

Do you want to use the Smartcard to login to the remote host? Or you're expecting the smartcard to be forwarded and usable inside the remote session?

It would be helpful to see a session log.

After ensuring you have Smartcard redirection enabled in the connection settings:

• Enable session logs (Session logging can be enabled directly from the Help > Session Logs window. There's a button in the title bar for it.)
• Reproduce the issue,
• Open the “Session Logs” (under “Help” in the ribbon).
• Locate the log corresponding to the session and send it to us

It's best if you can send the log file by PM or to service@devolutions.net.

Let me know if something is not clear or you have other questions!

Kind regards,