question

rsammas-0999 avatar image
0 Votes"
rsammas-0999 asked rsammas-0999 answered

Smart Card not authenticating over RDP

Hello,

I administer an all Mac end-user environment. We are working towards building a Windows terminal server so some of our admins can access some IE only sites on our intranet rather than have an individual VMs.

I have a test VM with root certificates installed that I am RDPing into. When I use the VMWare USB forwarding function, I can authenticate without issues. When I try over RDP, I get the following message:

The smart card cannot perform the requested operation or the operation requires a different smart card.



81199-screen-shot-2021-03-22-at-42104-pm.png



I am never prompted for my pin either. I also have ensured the "Smart cards" box is checked for this RDP connection.

81278-screen-shot-2021-03-22-at-41832-pm.png

The system clearly sees the reader and the card, but there must be some sort of communication error, as the commands sent to the card do work.

Any suggestions would be greatly appreciated :)





remote-desktop-servicesremote-desktop-client
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

rsammas-0999 avatar image
0 Votes"
rsammas-0999 answered

Following up, here. I figured out the solution was corruption of my fresh windows VM. The following solution resolved my issue:

https://answers.microsoft.com/en-us/windows/forum/all/problem-with-bits-service-the-requested-service/e2dee3af-9cb3-4c86-b7ff-719062543350?tm=1589910102970

To make things more complicated, it broke on my next try at authenticating. Through more troubleshooting, I discovered that IE 11 was breaking this functionality. The site I'm authenticating agains must not have good IE 11 functionality. After trying the fix again, and using Edge instead of IE, I was able to authenticate several times without it breaking


Thank you, @CarlFan-MSFT for your initial reply!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered rsammas-0999 commented

Hi,
According to your description, If your smart card login works normally when you are physically at a workstation, but you receive the error when using a smart card over RDP, I consider that the Smart Card driver is loaded on the local system but not on the destination you are connecting to.
Please start certificate propagation service and check. Please follow these steps.
a. Press Windows + X keys and click command prompt(admin).
b. In command prompt, type the following command and press Enter.
net start certpropsvc
Then try to reinstall the original driver to check.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your input Carl.

When I run net start certpropsvc in an elevated command prompt I get the following result

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

I also reinstalled the original drivers from this site:
https://www.acs.com.hk/en/products/425/acr39u-nf-pocketmate-ii-smart-card-reader-usb-type-c/

I'm still experiencing the same issue. My thoughts are that there is some issue or improper configuration Smart Card redirection over RDP
0 Votes 0 ·