No forwarding the smart card to the RDP session

Hello

I can't speak if there is an Android specific issue here, but I can give some background information. Is NLA / Kerberos enforced in your environment?

The embedded RDP component in RDM (non-Windows platforms) is FreeRDP, which has only recently added support for smart card authentication over NLA. We're working to integrate that into our products at the moment, but it's a complex task and not likely to be completed until later this year (we're aiming for 2024.3.x on macOS and hopefully can address Android in the same timeframe - you're not the first user to ask about this).

The only workaround in the meantime is to disable the NLA / Kerberos requirement, use RDP Enhanced Security (TLS Authentication) and forward the smart card to the server. You'll connect to WinLogon and be able to supply your smart card PIN there. Since not enforcing NLA is a significant security downgrade, I can't realistically recommend that unless you're totally blocked on this.

Please, let me know if you have some questions or anything isn't clear

Thanks and kind regards

Thank you for quick answer! We don't use NLA authentication on the server, and I disable NLA in the client before connecting. When i connecting to the server, in Windows Logon there is no “connection settings” menu item, where the smart card should be. But perhaps I didn't provide enough details.

We use smart cards from one of the local vendors that provides a driver for Android for their smart cards. The smart card is visible in Android only when installing and running this driver (application). After launching the driver application, we switch to a custom client, based on FREERDP, but modified, and then the smart card is forwarded to Windows Logon. But the fact, this client is very inconvenient, and yours is much better...

It may be that your client does not want to communicate with the smart card driver. It is clear that you are not required to support work with third-party software. However, if this is not the case, I would like support for smart card forwarding to work in your client, since these functions are not available in any Android client available in the Google Play Market...

Hello again

Thanks for the update!

Ok, so broadly it sounds like this should work, or can be made to work. The embedded RDP engine in RDM Android is FreeRDP. To move forward with an analysis of this, I'd need more details: what is the specific smart card / vendor, where does the custom client come from (what is it? is it provided by the smart card vendor?)

Can you send me that information? If you don't want to include it on the public forum, you could send me a PM or an email to rmarkiewicz [at] devolutions.net.

Please let me know if you have any further questions

Thanks and kind regards,

I replied by email, thanks for the feedback!

Hello

Thanks for your email, I'm replying here for transparency but I'll keep the details vague.

I'm not surprised that you would look for alternatives to the vendor supplied RDP client; it is based on an ancient version of FreeRDP and missing many features and bug fixes.

There is glue code in their client that presents one or two interfaces (I believe for selecting the reader or possibly the credential to use). When you use the custom client, are you presented with any UI associated with the smart card? Or it "just works" without extra interactions?

Thanks and kind regards,

Hello! No, the client did not work out of the box; the following settings were required to make it work. It was like a weird dance with tambourines, but in the end it worked. If I remember correctly, for some reason the operation of the smart card is affected by the "3G Settings" checkbox...

P.S:I hope the screenshots loaded correctly

Hello again

Unfortunately I don't see the screenshots, can you send them to me by email?

Thanks and kind regards,

I sent screenshots, and I would like to add that the algorithm of actions after setting up a custom client is as follows: first, connect the smart card, launch the proprietary driver application, which “recognizes” the smart card. After that, it minimizes and a custom client is launched with settings as in my screenshots.

Hello again

Ok, so I took a detailed look at all the information you've sent me.

The vendor SDK ships a custom PCSC (personal computer smart card) library. PCSC is a standard for interfacing with smart card hardware and it ships with most operating systems; typically software that wants to talk to the smart card uses the operating system provided library. The vendor customized version of this library is likely needed due to their specific crypto algorithms.

The vendor fork for FreeRDP does three major things:

1. Ships and uses their own PCSC library instead of the operating system provided one
2. Adds a couple of basic UI screens (I believe for optionally selecting an attached reader and maybe a credential)
3. Makes various bug fixes and tweaks to the FreeRDP smart card stack (the part of the code that talks to PCSC)

I don't think that (2) is relevant in your case since you don't describe hitting these screens (it's likely you only have a single reader attached). I can't evaluate the importance of (3); the FreeRDP code has diverged significantly since this fork was made (its years old); it's also probable that the vendor PCSC library has diverged in this time frame (perhaps making it more or less compatible with the standard PCSC).

For (1), it might be possible that we can allow you to use your own provided PCSC library at runtime instead of the OS one. I don't know the state of dynamic code loading / execution on the Android platform but I assume this is possible. We would have to provide that mechanism for you, and you could evaluate if it works out of the box (the vendor documentation implies that it should) or if further changes are needed (and until we try this, I have no idea of the scope of what those changes might be).

I can look at adding that option as part of the smart card improvements I mentioned in my original post, but as I wrote, it's on a medium term timeframe (2024.3 at the earliest - which puts us into the last quarter of the year). It's possible that the RDM Android team might like to try and get that done faster, but I would expect not since this is somewhat of an esoteric request (you're the first person that brings this to our attention as far as I can tell). I'll link this forum post to the relevant ticket so we can update you once there is any news.

You might want to investigate options for getting an updated version of aFreeRDP with the vendor changes applied and the latest bug fixes and improvements. For a developer that understands the space and has access to test hardware, I don't think it would be a big effort.

Please, let me know if you have any questions or comments.

Kind regards,

Hello! I thank you for your detailed study of our situation! I am pleasantly surprised by the attention you are paying to our problem.
Based on the points you described, I can say the following:
(2) - we really don’t need any additional screens and the existing algorithm is enough for us (launching the driver program, and then entering the smart card PIN code in Windows Logon); The best option would be to support smart cards with NLA enabled, if possible;

Speaking about the timing of the implementation of the feature, as you understand, we are not a large commercial customer and can only hope for the implementation of this functionality in principle.

For our part, we are ready to help and give any feedback and test functionality, including alpha and beta versions, which you can send as needed, since only we have the physical devices themselves...

Unfortunately, I did not fully understand the last paragraph about the latest versions of aFreeRDP. I talked with our vendor on their forum and, as I understand it, they do not plan to develop and update their custom client program...

Thank you for your answers and help, we will expect positive progress on this feature when your team has time to do it!

Hello again

To extrapolate on what I wrote, if your issue with the vendor provided RDP client is that it's buggy or missing modern features - and as you wrote, they are not planning an update - you could contract a developer to implement a more modern client integrating the necessary code to talk to your the smart card. The repo you linked is based on 6 year old version of FreeRDP, which is ancient compared to the current version.

However, if the issue is that you prefer the RDM approach of managing sessions and overall interface; perhaps it might be possible to customize the vendor client so that it can be launched from another application. That is to say, you could use RDM as the frontend but when launching an RDP session, it could launch the custom RDP client instead of an embedded entry. I don't know if this is currently possible with RDM Android, something like the "External" connection mode on our desktop platforms.

All this is quite hypothetical and depends on your needs. As I wrote, we might be able to provide something that helps in the medium term but there is no guarantee of success.

Thanks and kind regards,