Applies To: Windows 10, Windows Server 2016
-->
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
The content in this topic applies to the versions of Windows that are designated in the Applies To list at the beginning of this topic. In these versions, smart card redirection logic and WinSCard API are combined to support multiple redirected sessions into a single process.
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
Remote Desktop Services redirection
In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
Remote Desktop redirection
Notes about the redirection model:
RD Session Host server single sign-in experience
As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
Remote Desktop Services and smart card sign-in
Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
certutil -dspublish NTAuthCA 'DSCDPContainer'
The DSCDPContainer Common Name (CN) is usually the name of the certification authority.
Example:
![]()
certutil -dspublish NTAuthCA <CertFile> 'CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com'
For information about this option for the command-line tool, see -dsPublish.
Remote Desktop Services and smart card sign-in across domains
To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
certutil -scroots update
For information about this option for the command-line tool, see -SCRoots.
For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
![]()
certutil -addstore -enterprise NTAUTH <CertFile>
Where <CertFile> is the root certificate of the KDC certificate issuer.
For information about this option for the command-line tool, see -addstore.
Note If you use the credential SSP on computers running the supported versions of the operating system that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>
Smart Card Sniffer Cam Software
The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see Smart Card Group Policy and Registry Settings.
See also
Smart cards, or integrated circuit cards, have integrated circuitry built into a plastic card enabling the user to store information or process small amounts of data. A SIM card is one kind of smart card.
Smart Card Uses
Smart cards integrate well with many types of technology and provide a means to identify and authenticate users and store their data. They are used in ATM cards and building security access cards. Smart cards also can differentiate between mobile communication devices.
Types of Smart Card
There are two types of smart card -- contact and contactless. Contact cards have a visible 1cm square contact point that requires the card to be inserted into a reading device. Contactless cards use RF induction technology to read the card when held in the proximity of the aerial.
SIM Cards
A SIM (subscriber identity module) card is a contact smart card. SIM cards are programmed with a unique serial number and mobile number, and a user can swap the card between cell phones and retain the same contact details.
Video of the Day
Brought to you by Techwalla
More Articles
Some days ago I connected a USB contact-less Smart-Card reader and sniffed that USB port via an USB Sniffer tool. Afterward, I put a 1k Mifare card on the reader and read 1 byte.
I take a look at the sniffer tool output and understand that the keys (read key and write key) transferred to the card without any encryption!
Now I want to know is this mechanism really safe??! If I change my reader's API to make it behave like a Mifare card and move it close to the original reader and sniff the communication between two card readers via my computer can't I gain the keys?!
Is this possible to make a Reader behave like a mifare card in the field of another contactless reader?
Update :As I know it is mandatory to load keys on mifare card, before sending authenticate command!As you see below, I load keys on card! [It is
FF FF FF FF FF FF by default].
Simultaneously I sniffed the USB port that my ACRA122U connected to!As you see below, the keys was sent in plain!
What is wrong with what I did?!
Note: Miss Hedayat (My Colleage), also confirmed it! :))
Michael Roland
31.7k88 gold badges5656 silver badges123123 bronze badges
TheGoodUserTheGoodUser
57211 gold badge88 silver badges4040 bronze badges
2 Answers
You are not sniffing the communication between the reader and the MIFARE Classic card but between the PC and the reader (USB CCID).
In order to communicate with a MIFARE Classic card, you have to load the access keys onto the reader. That's what the 'load authentication keys' command (in your screenshot) does. In the case of the ACR122U, keys are stored into volatile memory on the reader. Other readers may support non-volatile key slots too (see the readers' documentation and the PC/SC specification section on contactless memory cards).
Smart Card Sniffer Campus
Later, when you issue an authentication command, the reader will perform the MIFARE Classic mutual authentication, which is basically a challenge response authentication and key agreement protocol. So instead of sending the actual key to the card, the reader will receive a random number from the card, will encrypt the random number with the key and will return that encrypted random number to the card. The card will then decrypt the random number with the same key and can thus verify if the reader used the correct key.
Michael RolandMichael Roland
31.7k88 gold badges5656 silver badges123123 bronze badges
![]()
No, the keys are not transferred in plain, since there is no need to transfer any key in the scenario of reading one byte, depending on the configuration they may need to be applied. I have no idea, what your sniffer output tells you.
No, Mifare (Classic) is not safe, but this is a separate question sufficiently answered at SO. Summarized: the key is too short and therefore the cryptographic algorithm used is too weak.
No, a reader can't disguise as card; even if it could: you seem to think, that the keys are broadcast and then you could simply grab them from air, which is far from the mark.
guidotguidot
3,43711 gold badge1616 silver badges3030 bronze badges
Not the answer you're looking for? Browse other questions tagged smartcardrfidmifaresmartcard-readercontactless-smartcard or ask your own question.Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |