Smart Card Redirection

Similar Messages

• Access to smart card reader on Win 8.1 RDP Host

  Hi,
  I have a customer that has a couple of Windows 8.1 Pro computers, that has a smart card reader in the local keyboard.
  Until a few months ago, they could RDP to the desktop computer from a RDP client such as another Windows PC, a Mac or a mobile device.
  The problem is now that when accessing the desktop computer (with the smart card reader keyboard) from a RDP client, the smart card reader is not available in the RDP session anymore. This prevents them from logging on to an application in the network that
  requires their smart card.
  Can someone perhaps point me in a direction where this can be solved, either with the MS RDP host or with some 3rd party RDP host applications?
  (Teamviewer or similar remote support applications works, but that is not what the customer want...)
  Since it worked like a charm up until 2-3 months ago, there must have been some update to Win 8.1 that prevents this by default?
  Thanks in advance,
  /Mikael Forslund

  Hi Mikael Forslund,
  I am supposing you attempted to use smart card reader connected directly to Remote Desktop terminal. Basically your RDP session should redirected smart card reader to the client side and will not see readers connected to the host side
  because enable Safety equipment such like smart card reader will cause highly insecure and that is not by design.
  We suggest using smart card reader on local RDP client for your issue.
  “The reverse is also true; if you RDP into a session from the start you will never see any local smartcard readers as Winscard will detect it’s running in an RDP session and no calls to Winscard will ever reach the local PC/SC layer –
  everything will be redirected to the connecting client.”
  Quote from this TechNet article
  http://blogs.technet.com/b/instan/archive/2011/03/27/why-can-t-i-see-my-local-smartcard-readers-when-i-connect-via-rdp.aspx
  Similar case has been posted and for your reference
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/47972083-b9bd-49fd-8708-b296af81bda3/usb-smart-card-reader-and-smart-card-connected-directly-to-remote-desktop-server?forum=winserverTS
  Regards
  D. Wu

• Compiling rdesktop with Smart Card support?

  Hello,
  I've tried like the dikens to compile "rdesktop" (an open source solution to connect Windoze PCs using Microsoft RDP protocol). I can compile and run the source code, but I find it impossible to compile in smart card support. I've tried everything to get the "pcsc-lite" components to compile in - but I'm too much of a makefile noob I'm afraid.
  Anyone know how to do this?
  There's a related discussion at http://discussions.apple.com/thread.jspa?messageID=8652963.
  Any help appreciated
  ~Matt

  Hi,
  Thank you for posting in Windows Server Forum.
  In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card logon scenario, the smart card service on the remote server redirects to the smart card reader
  connected to the local computer where the user is trying to log on. You can refer following article for details.
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(v=ws.10).aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Smart card session

  Hi
  Suppose that a DTU user's init session with his smartcard put in the drive, work with some tools and do not save his changes in documents, for example.
  What happens later with this session if the user losts his smartcad?
  I can "redirect" this original session to other DTU or smart card? I don't want to loose this session.
  Thanks!

  "redirect" is no problem. you can do so, using the utuser -ai and utuser -di commands. -ai adds a card to an existing (or lost) card (session), -di deletes a card. see man page...
  (-a -i did not work for me. i had to use -ai...)
  it is not possible to configure 2 or more cards and "look" at a session more then once... the ray server will NOT send the data to both DTUs. instead it will choose the DTU in which the last card was plugged. afair the other DTUs show a freezed screen for a while.
  hope this helps.

• Problem with CertificateRequest when using a smart card

  Hello,
  I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
  Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
  The intermediate CA is in the local cert store.
  The application being used is DavMail.
  Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
  Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

  Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

  How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
  I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
  There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
  Jamal Saket OSFI Canada

  Hi,
  Thank you for your question.  
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
  Thank you for your understanding and support.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to use Smart Card API's (OCF) in Web Application

  Hi frnds,
  For our new smart card based project, i have few queries,
  1. Can we choose web based application for smart card based projects?
  2. How servlet will communicate with opencard CTListener class?
  3. While the card insertion and remove how the event will be reflet the servlet?
  4. For that is it needed to design the client UI by using Swing?
  5. Without Swing will servlet give all solution for smart card connection and events?
  Rgrds,
  dhaya.

  I am also looking for smart card Authentication using web. Any info really appreciated

• How to load the .cap file in a Smart Card?

  Dear All,
  Hello..!!
  I am using JCDK 2.2 and have used Eclipse JCDK.
  I have written a simple read/write applet and created a .cap file using Eclipse's Converter Java Card tool.
  What is the next step to be done?
  I have a smart card device and have installed its drivers.
  When do the APDU commands come into picture?
  Expecting help.
  Thanks a lot.
  Regards,
  Suril

  Suril Sarvaiya wrote:
  Hi Shane....
  Thnx a lot....
  I have downloaded GP-Shell 1.4.4
  When I open its application and write any command and press enter ; the app window closes immendiately.
  Can you please help me on this?
  One more thing Shane......
  I'm writig a java class using javax.smartcardio
  I have installed drivers of Omnikey 3021
  but the TerminalFactory is not detecting it?
  Any idea on that?
  Thanks again...
  Regards,
  SurilHi all,
  Is Mr. thread starter has solved his problem?
  I profit this thread to post my question. I'm working with new environment and I have problem loading cap file into my smartcard.
  specification come first :-)
  - My smartcard is said to be JC2.2.1 and GP2.1.1 compatible
  - My code (for testing) is written in Java under eclipse Helios service 2 with JavaCard plugin (for JC2.2.2)
  I compile my code with JDK 1.3 (for compatible version) and using the JC plugin to generate cap file (along with exp and jca).
  My problem is exactly the same as one that was posted in this forum about 2 years ago but is not answered :-)
  [Problem Loading Application to Card |http://forums.oracle.com/forums/thread.jspa?threadID=1749334&tstart=420]
  + I successfully authenticate with smartcard
  + APDU command Install for Load is executed successfully
  + BUT the APDU command LOAD file fails with returned status word is 6424
  For details, I post here my javacard applet code and APDU command executed with my tool:
  package mksAuthSys;
  import javacard.framework.APDU;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.OwnerPIN;
  public class Jcardlet extends Applet {
       private final static byte[] myPIN = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04};
       final static byte Jcardlet_CLA =(byte)0xB0;
       final static byte VERIFY = (byte) 0x20;
       final static byte PIN_TRY_LIMIT =(byte)0x03;
       final static byte MAX_PIN_SIZE =(byte)0x08;
       final static short SW_VERIFICATION_FAILED = 0x6300;
       OwnerPIN pin;
       private Jcardlet() {
            pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
            pin.update(myPIN, (byte) 0, (byte) 4 );
           register();
       public static void install(byte bArray[], short bOffset, byte bLength)
                 throws ISOException {
            new Jcardlet().register();
       public boolean select() {
            if ( pin.getTriesRemaining() == 0 ) return false;
           return true;     
       public void deselect(){
            pin.reset();
       //@Override
       public void process(APDU apdu) throws ISOException {
            // TODO Auto-generated method stub
            byte[] buffer = apdu.getBuffer();
            if ((buffer[ISO7816.OFFSET_CLA] == 0) &&
                    (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4))) return;          
            if (buffer[ISO7816.OFFSET_CLA] != Jcardlet_CLA)
                  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);          
            switch (buffer[ISO7816.OFFSET_INS]) {
             case VERIFY: verify(apdu);
               return;
             default: ISOException.throwIt (ISO7816.SW_INS_NOT_SUPPORTED);
       private void verify(APDU apdu) {
            // TODO Auto-generated method stub
           byte[] buffer = apdu.getBuffer();
           // retrieve the PIN data for validation.
           byte byteRead = (byte)(apdu.setIncomingAndReceive());
           // check pin
           // the PIN data is read into the APDU buffer
           // at the offset ISO7816.OFFSET_CDATA
           // the PIN data length = byteRead
           if ( pin.check(buffer, ISO7816.OFFSET_CDATA,byteRead) == false )
             ISOException.throwIt(SW_VERIFICATION_FAILED);          
  }And my APDU command:
  Loading "D:\mksAuthSys.cap" ...
  T - 80F28000024F00
  C - 08A000000003000000079E9000
  ISD AID : A000000003000000
  T - 80E602001508F23412345610000008A00000000300000000000000
  C - 009000
  T - 80E80000C8C482018B010012DECAFFED010204000108F23412345610000002001F0012001F000C001500420012009D0011001C0000009F00020001000402010004001502030107A0000000620101000107A000000062000103000C0108F234123456100001002306001200800301000104040000003DFFFF0030004507009D000510188C0003188F00013D0610088C00028700AD007B000403078B0005188B00067A02308F00073D8C00088B00067A0110AD008B00096104037804780110AD008B000A7A0221198B000B2D1A0300
  C - 6424
  Stopped loading due to unexpected status words.Urgently look forward to hearing from you.
  Thanks a bunch in advance
  Best Regards,
  JDL

• Remote desktop and smart cards

  I frequently work from home using my mac to access my windows based desktop at the office. I use the microsoft remote desktop v. 1.0.3. for MAC. Now that my agency is moving to smart card identification requirements for access I need to be able to use the smart card at home to sign onto the office desktop.
  The RDC for MAC does not have an option for smart card readers (as opposed to the RDC for windows version). Is there alternative software that would be simple to install on my MAC (I am not an IT sophisticate) that will give me smart card access?

  Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
  If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
  Hope this helps!
  bill
    Mac OS X (10.4.10)   1 GHz Powerbook G4

• MS Remote Desktop and smart card reader

  I have installed MS Remote Desktop Conn. on my iMac and connected a smart card reader via the USB. Although my reader energizes when the computer is on, the computer doesn't seem to recognize the reader. When I insert a CAC card into the reader and try to log in remotely, I continue to get a "username/password" box instead of the CAC PIN number. Do I need to install some kind of smart card driver or does Apple already have it? I'm at a loss as to how to fix this.

  I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
  However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
  <<http://www.rdesktop.org>>
  My instructions for installation:
  1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
  2. Find out where your X11 libraries are located:
  -From the Finder menu, selct "Go" >> "Go to Folder..."
  -Type (without the quotes) "/usr/X11", and click "Go"
  You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
  3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
  4. Open the X11 application (should be in your Utilities folder)
  5. In the X11 window type the following (without the quotes):
  "cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
  4. Hit enter. When prompted, enter your administrator password and hit enter.
  rdesktop should now be installed in the following folder:
  /usr/local/bin
  So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
  "cd /usr/local/bin && ./rdesktop -r scard your.server.address"
  Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
  To explore more options with rdesktop, open X11 and type the following (without quotes):
  "cd /usr/local/bin && ./rdesktop"
  Hit enter and you should get a list of options available to rdesktop.

• Remote desktop and smart card

  Hi.
  I need to use a smart card while working with remote desktop.
  My office pc runs win XP and have a smart card connected. I can not use that card when working remotly, its not found. Like its disconnected.
  I also have a smart card connected to my Mac at home. The smart card works fine when the VPN connection ask for my code.
  The problem is that it does not get forwarded. I have tried to use MS Remote Desktop for mac and CoRD.
  But none of them supports the smart card.
  It works fine with parallels/win7 on my mac, I can then use my smart card.
  How ever I would like to not use the win/ on my mac.
  Do anybody have a soulution to this? Are there any Remote desktop applications that support forwarding of smart card for Mac OS?
  Thanx for any tips

  You can install rdesktop with Smart Card support.
  It is fairly easy if you use something like MacPorts, Fink, or Homebrew.
  I know MacPorts has a port for it that I used in the past.

• Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a reso

  Error encountered while signing. Windows cryptographic service provider reported an error. Object not found. Error code:2148073489. Windows 7, Adobe Reader XI, Symantec PKI, Smart Card and CAC. I have seen other threads for this error but none have a resolution. Any help would be appreciated.
  Sorry for the long title, first time poster here.

  This thread is pretty old, are you still having this issue?

• Error while Accessing Smart Card using Open Card Frame Work

  HI
  Using Open Card Frame work I am trying to access GemAlto provided Smart Card (java card). I downloaded the Open Card Frame work from “http://www.openscdp.org/ocf/download.html”.
  I am executing a basic program to access the data stored in smart card.
  public static void main(String[] args)
                      System.out.println("reading smartcard file...");
                      try {
                      SmartCard.start();
                      CardRequest cr = (FileAccessCardService.class);
                      System.out.println("calling waitforCard");
                      SmartCard sc = SmartCard.waitForCard(cr); //Error comes after this line
                      System.out.println("After waitForCard called");
                      FileAccessCardService facs = (FileAccessCardService)
                      sc.getCardService(FileAccessCardService.class, true);
                      CardFile root = new CardFile(facs);
                      CardFile file = new CardFile(root, ":c009");
                      byte[] data = facs.read(file.getPath(), 0,
                      file.getLength() );
                      sc.close();
                      String entry = new String(data);
                      entry = entry.trim();
                      System.out.println(entry);
                      } catch (Exception e) {
                           e.printStackTrace(System.err);
                      System.exit(0);
  The content of the opencard.properties are :
            OpenCard.services = opencard.opt.util.PassThruCardServiceFactory
  OpenCard.terminals = com.ibm.opencard.terminal.pcsc10.Pcsc10CardTerminalFactory
  OpenCard.trace = opencard:5 com.ibm:4 opencard.opt.database:6
  After the line “ SmartCard sc = SmartCard.waitForCard(cr);”
  the program is expecting a card to be inserted but while inserting Smartcard the following error message come :
            calling waitforCard
            [ERROR    ] com.ibm.opencard.terminal.pcsc10.OCFPCSC1.OCFPCSC1.SCardConnect
  --- message
  --- thread Thread[Thread-0,5,main]
  --- source com.ibm.opencard.terminal.pcsc10.OCFPCSC1@2e7263
  [ERROR    ] com.ibm.opencard.terminal.pcsc10.OCFPCSC1.OCFPCSC1.SCardConnect
  --- message Protocol = 0
  --- thread Thread[Thread-0,5,main
  --- source com.ibm.opencard.terminal.pcsc10.OCFPCSC1@2e7263
  Basically the error is coming from the SCardConnect function of OCFPCSC1.cpp file.
  Please reply to my mail id if any body has any idea how to resolve this issue.
  MAIL-ID : [email protected]
  With Regards
  Swarup
  Finacle Archie
  Infosys Technologies Limited,Bhubaneswar,India

  Sounds like an issue that has to do with JavaScript Origin policy. You'll have to use Domain Relaxing for this. Read all about it here:
  http://help.sap.com/saphelp_nw04/helpdata/en/59/87b54064c2742ae10000000a155106/frameset.htm
  here:
  http://help.sap.com/saphelp_nw04/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm
  and here:
  http://help.sap.com/saphelp_nw04/helpdata/en/cb/f8751d8c6b254dac189f4029c76112/frameset.htm

• Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

  Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
  using ADFS or domain security. Can anyone point us in the right direction?

  Hi,
  By default, smart card is not available for stand alone computer and local account.
  This authentication technology might be helpful to you:
  EIDAuthenticate - Smart card logon on stand alone computers and local accounts
  http://www.mysmartlogon.com/products/eidauthenticate.html
  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Karen Hu
  TechNet Community Support