locked
Credential Providers and remote desktop connections RRS feed

  • Question

  • Assuming I have a credential provider which logs me automatically in when a smartcard is present: then what happens if a remote desktop connection comes in while the smartcard is present? I guess the remote user is automatically logged in also because RDP uses the normal credential providers?

    The only way to prevent this is to activate NLA (Network Level Authentication) and maybe this scenario is the real reason why NLA was introduced?

    Sunday, March 11, 2012 11:38 AM

Answers

  • In that case you are on your own to avoid remote users from getting logged in. To the best of my knowledge, this redirection mechanism is only implemented in WinSCard. So, if your CSP, which is used by your credential provider's authentication engine, is not using WinSCard API for working with the USB token, then you will need to do some extra work.

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    • Proposed as answer by Nima Sharifimehr Monday, March 12, 2012 3:04 PM
    • Marked as answer by schlatter Wednesday, March 14, 2012 8:16 AM
    Monday, March 12, 2012 3:04 PM

All replies

  • The remote user will not automatically get logged in, because when SCardEstablishContext is called from within a terminal server session, WinSCard detects this and will redirect the smart card requests to the client's machine. You may read more here: http://msdn.microsoft.com/en-us/library/bb905527.aspx

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com



    Sunday, March 11, 2012 2:57 PM
  • What if it is an USB-dongle and the credential provider is from some company?

    Then it would be necessary to detect the remote login to prevent the lokal dongle letting in the remote user?

    Monday, March 12, 2012 1:41 PM
  • In that case you are on your own to avoid remote users from getting logged in. To the best of my knowledge, this redirection mechanism is only implemented in WinSCard. So, if your CSP, which is used by your credential provider's authentication engine, is not using WinSCard API for working with the USB token, then you will need to do some extra work.

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    • Proposed as answer by Nima Sharifimehr Monday, March 12, 2012 3:04 PM
    • Marked as answer by schlatter Wednesday, March 14, 2012 8:16 AM
    Monday, March 12, 2012 3:04 PM
  • http://technet.microsoft.com/en-us/security/bulletin/ms12-020

    Wednesday, March 14, 2012 1:27 PM
  • The remote user will not see the locally inserted smartcard or USB token - all calls to Winscard within his session will be piped to the local Winscard instance on the client as in the diagram above.

    See http://blogs.technet.com/b/instan/archive/2011/03/27/why-can-t-i-see-my-local-smartcard-readers-when-i-connect-via-rdp.aspx


    Tuesday, July 10, 2012 1:01 AM
  • Is there a way to disable this check within winscard.dll?  Say for use in a virtual smartcard driver.
    Saturday, March 9, 2013 3:30 AM
  • The answer to my question above is "no"... and you would not want to as it could cause all sorts of issues by allowing local readers to be accessed with concurrent RDP sessions.
    Wednesday, September 11, 2013 9:25 PM