RDP into Server using PIV Card

David 81 Reputation points
2021-01-20T01:49:46.7+00:00

My company security requirement is that admins have to use cert on PIV card to RDP into remote servers. I couldn't find much instruction on how to setup such environment. Does any have instruction on how to set up RDP session into servers using cert on PIV card reader?

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,545 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,304 questions
{count} votes

Accepted answer
  1. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,706 Reputation points Microsoft Vendor
    2021-01-20T04:18:36.127+00:00

    Hi,

    PIV card is a kind of smart card. In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card logon scenario, the smart card service on the remote server redirects to the smart card reader connected to the local computer where the user is trying to log on. So if you have enabled smart card logon on your company's client PCs, you will be able to use the smart card to RDP to the remote servers.
    You can refer following article for details.
    Smart Card and Remote Desktop Services
    https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services

    For enabling smart card logon on client PCs in your company, you can read below article for reference:
    Guidelines for enabling smart card logon with third-party certification authorities
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities

    If you have RDS deployment with RDCB role and RD Gateway role installed, please follow below steps. If you only have RD session host role, just do step 2-4.

    1. On RDCB server, go to server manager, navigate to remote desktop services>Overview>Edit Deployment Properities>select RD Gateway>choose smard card authentication or allow user to select during connection for Logon method
      58349-image.png
      58501-image.png
    2. On Remote Desktop Session Host servers, set below group policies
      Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
      Do not allow supported Plug and Play device redirection - Disabled
      Do not allow smart card device redirection - Disabled
    3. On client, set below group policy
      Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB device Redirection
      Allow RDP redirection of other supported RemoteFX USB devices from this computer - Enabled
    4. When using mstsc to remote connect to the servers, go to Local Resources tab > Local devices and resources > More, make sure Smart cards and Other supported Plug and Play (PnP) devices have been checked. Then it will pop up the authentication window for you to choose whether using password or smart card to logon.
      58478-image.png
      58384-smart-card.png

    Thanks,
    Eleven

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. David 81 Reputation points
    2021-01-24T01:07:25.707+00:00

    Thank you so much for a very detailed explanation.


  2. testuser7 271 Reputation points
    2024-02-24T14:42:57.3033333+00:00

    Hi @Eleven Yu (Shanghai Wicresoft Co,.Ltd.)

    Very nice clarification of smart-card login. One practical confirmation.

    So when I say, I am login into the RDP-host via smart-card meaning I am completing my smart-card authentication from the "Windows security" popup. So this way I can use Windows Hello for Business credential also instead of any physical PIV card.

    At the same time, per doc. they say that Windows Hello cred must be with certificate. However, I did not have any certificate with my WHfB-cred still I was able to complete the authentication and open the VM

    How did it happen ??

    And secondly, if I am not using CredSSP RDP protocol, then I will taken directly on the VM's login screen. Basically I am NOT seeing "windows security" popup. So can I do the same smart-card authentication from VM's login screen ??

    Thanks.

    0 comments No comments