none
Credential Providers and remote desktop connections

    Domanda

  • Assuming I have a credential provider which logs me automatically in when a smartcard is present: then what happens if a remote desktop connection comes in while the smartcard is present? I guess the remote user is automatically logged in also because RDP uses the normal credential providers?

    The only way to prevent this is to activate NLA (Network Level Authentication) and maybe this scenario is the real reason why NLA was introduced?

    domenica 11 marzo 2012 11:38

Risposte

  • In that case you are on your own to avoid remote users from getting logged in. To the best of my knowledge, this redirection mechanism is only implemented in WinSCard. So, if your CSP, which is used by your credential provider's authentication engine, is not using WinSCard API for working with the USB token, then you will need to do some extra work.

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    • Proposto come risposta Nima Sharifimehr lunedì 12 marzo 2012 15:04
    • Contrassegnato come risposta schlatter mercoledì 14 marzo 2012 08:16
    lunedì 12 marzo 2012 15:04

Tutte le risposte

  • The remote user will not automatically get logged in, because when SCardEstablishContext is called from within a terminal server session, WinSCard detects this and will redirect the smart card requests to the client's machine. You may read more here: http://msdn.microsoft.com/en-us/library/bb905527.aspx

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com



    domenica 11 marzo 2012 14:57
  • What if it is an USB-dongle and the credential provider is from some company?

    Then it would be necessary to detect the remote login to prevent the lokal dongle letting in the remote user?

    lunedì 12 marzo 2012 13:41
  • In that case you are on your own to avoid remote users from getting logged in. To the best of my knowledge, this redirection mechanism is only implemented in WinSCard. So, if your CSP, which is used by your credential provider's authentication engine, is not using WinSCard API for working with the USB token, then you will need to do some extra work.

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    • Proposto come risposta Nima Sharifimehr lunedì 12 marzo 2012 15:04
    • Contrassegnato come risposta schlatter mercoledì 14 marzo 2012 08:16
    lunedì 12 marzo 2012 15:04
  • http://technet.microsoft.com/en-us/security/bulletin/ms12-020

    mercoledì 14 marzo 2012 13:27
  • The remote user will not see the locally inserted smartcard or USB token - all calls to Winscard within his session will be piped to the local Winscard instance on the client as in the diagram above.

    See http://blogs.technet.com/b/instan/archive/2011/03/27/why-can-t-i-see-my-local-smartcard-readers-when-i-connect-via-rdp.aspx


    martedì 10 luglio 2012 01:01
  • Is there a way to disable this check within winscard.dll?  Say for use in a virtual smartcard driver.
    sabato 9 marzo 2013 03:30
  • The answer to my question above is "no"... and you would not want to as it could cause all sorts of issues by allowing local readers to be accessed with concurrent RDP sessions.
    mercoledì 11 settembre 2013 21:25