Using smartcards with Configuration Manager Remote Control

greatestcommonfactor 21 Reputation points
2021-12-28T17:14:53.73+00:00

Does anybody know if Configuration Manager Remote Control supports use of smartcards for logon to remote systems?

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. AllenLiu-MSFT 46,451 Reputation points Microsoft Vendor
    2021-12-29T02:17:08.583+00:00

    Hi, @greatestcommonfactor
    Thank you for posting in Microsoft Q&A forum.

    Configuration Manager Remote Control do not supports the use of smartcards.
    You may check Wally and Jason's answer in below thread for more details, Jason is now working in the product group.
    https://social.technet.microsoft.com/Forums/en-US/09fcedfc-3ab2-4af8-9f35-e72f44dbb250/sccm-2012-sp1-remote-control-smart-card-support?forum=configmanagergeneral


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



2 additional answers

Sort by: Most helpful
  1. greatestcommonfactor 21 Reputation points
    2022-01-03T16:10:16.65+00:00

    Thank you. Based on what I was reading I sort of figured that was the case but this saved me some time as I was thinking about having ports opened up and testing first.

    0 comments No comments

  2. Jon Marnock 1 Reputation point
    2022-11-24T08:30:03.19+00:00

    Late to the party here, but just to note that "Configuration Manager Remote Control" isn't quite like Remote Desktop. There's at least three parts to it:

    1. Actually connecting into the machine, which requires its own authentication and authorization, and
    2. If you happen to land on the login screen rather than an existing user session, authenticating to that login screen.
    3. Once you're in either your or the user's session, using smartcards to authenticate onwards to things.

    The first part is actually the credentials prompt you get if there's no trust between your workstation and the client you're connecting to (or if that's password based, or you authenticated to your local workstation with a smartcard, or... yada yada). You can actually use runas /smartcard to supply credentials to run the process the configuration manager remote control client starts as, though with the same caveats as usual where runas will not let you specify a slot if you have more that one credential stashed on the key:

    > runas /smartcard "C:\Program Files\CMRemoteControl\CmRcViewer.exe"  
    Reading smart cards........  
    Using the card in reader 1. Enter the PIN:  
    Attempting to start C:\Program Files\CMRemoteControl\CmRcViewer.exe as user "Jon Marnock (DOMAIN\user) - Internal CA" ...  
    

    If there's no trust though, you probably need to run the thing with /netonly so it gets a network session to use on the remote machine even though that user itself won't be able to own the process locally. The main issue with that is that when you do this you're not really using CmRcViewer to do the actual smartcard auth, and once you're in a different session, you probably won't be able to access the smartcard itself, so it's no longer available for example to log into the remote system with (#2 above). Either way, I wasn't able to get smartcards to show up for (#3) above via CmRcViewer and runas with or without netonly.

    In any event, at this point if you've used runas or whatever to get it running, you'll be connected to whatever session is active using the smartcard. If it's a user session, you're in. If it's the login screen... sorry, you're out of luck, but try using remote desktop instead in that situation - that definitely supports smartcards.

    Can't help you with #3 though if that's what you meant :)

    Final note is that if runas /smartcard doesn't pick the right certificate by default, as far as I know you're out of luck. I wrote a replacement for runas that lets you specify a cert by UPN (and uses the standard windows auth GUI pin dialogue to enter the pin) and does an equivalent of /netonly for this exact reason, and it's a lot nicer, faster, and more flexible than runas. No, I don't have it open sourced yet, though that's planned eventually.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.