Microsoft Remote Desktop Smart Card Mac

8fz.netlify.com › Microsoft Remote Desktop Smart Card Mac █ █ █

Use Microsoft Remote Desktop for Mac to connect to a remote PC or virtual apps and desktops made available by your admin. With Microsoft Remote Desktop, you can be productive no matter where you are. GET STARTED Configure your PC for remote access using the information at https://aka.ms/rdsetup.
How To: Configure Microsoft Remote Desktop Client and Smart Card Authentication. Posted on January 15. Ability to “cut” my own certificates to be imported into the smart card. Read the complete article @ Getting Started with the Microsoft Remote Desktop Client and Smart Card Authentication.
Thus we looked into disabling the Smart Card resource inside the Remote Desktop Connection. This can be found by going to Remote Desktop ConnectionLocal ResourcesLocal devices and resourcesMore.Smart cards. This resource is enabled by default. We want to disable this using group policy or a login script.

Hp Smart Card
Microsoft Remote Desktop Smart Card Mac Torrent

-->

Applies To: Windows 10, Windows Server 2016

This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.

Servizi Desktop remoto e smart card Smart Card and Remote Desktop Services.; 5 minuti per la lettura; In questo articolo. Si applica a: Windows 10, Windows Server 2016 Applies To: Windows 10, Windows Server 2016. Questo argomento per il professionista IT descrive il comportamento dei Servizi Desktop remoto quando implementi l'accesso per smart card. Microsoft Remote Desktop for Mac 8.0. No review of remote desktop software on Mac would be complete without looking at Microsoft Remote Desktop Manager for Mac. Microsoft RDP for Mac is now called Microsoft Remote Desktop Connection Client for Mac (confusingly also known as RDC for Mac or Remote Desktop for Mac).

The content in this topic applies to the versions of Windows that are designated in the Applies To list at the beginning of this topic. In these versions, smart card redirection logic and WinSCard API are combined to support multiple redirected sessions into a single process.

Hp Smart Card

Smart card support is required to enable many Remote Desktop Services scenarios. These include:

Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.

Remote Desktop Services redirection

In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.

Remote Desktop redirection

Notes about the redirection model:

This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as 'Client session'), the user runs net use /smartcard.
Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
The authentication is performed by the LSA in session 0.
The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.

RD Session Host server single sign-in experience

As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.

Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.

Mac microsoft office update keep showing the same update. When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.

Remote Desktop Services and smart card sign-in

Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.

In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.

To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:

certutil -dspublish NTAuthCA 'DSCDPContainer'

The DSCDPContainer Common Name (CN) is usually the name of the certification authority.

Example:

certutil -dspublish NTAuthCA <CertFile> 'CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com'

For information about this option for the command-line tool, see -dsPublish.

Remote Desktop Services and smart card sign-in across domains

To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:

certutil -scroots update

For information about this option for the command-line tool, see -SCRoots.

Microsoft Remote Desktop Smart Card Mac Torrent

For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:

certutil -addstore -enterprise NTAUTH <CertFile>

Where <CertFile> is the root certificate of the KDC certificate issuer.

For information about this option for the command-line tool, see -addstore.

Note If you use the credential SSP on computers running the supported versions of the operating system that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.

Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>

The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see Smart Card Group Policy and Registry Settings.

Reindirizzamento dei Servizi Desktop remotoRemote Desktop Services redirection

In uno scenario desktop remoto un utente usa un server remoto per l'uso dei servizi e la smart card è locale per il computer che l'utente USA.In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using.In uno scenario di accesso per Smart Card, il servizio Smart Card sul server remoto reindirizza al lettore di smart card collegato al computer locale in cui l'utente sta provando ad accedere.In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.

Reindirizzamento desktop remotoRemote Desktop redirection

Note sul modello di reindirizzamento:Notes about the redirection model:

Questo scenario è una sessione di accesso remoto in un computer con Servizi Desktop remoto.This scenario is a remote sign-in session on a computer with Remote Desktop Services.Nella sessione remota (denominata 'sessione client') l'utente esegue net use/smartcard.In the remote session (labeled as 'Client session'), the user runs net use /smartcard.
Le frecce rappresentano il flusso del PIN dopo che l'utente digita il PIN al prompt dei comandi finché non raggiunge la smart card dell'utente in un lettore di smart card collegato al computer client di connessione Desktop remoto (RDC).Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
L'autenticazione viene eseguita dall'LSA nella sessione 0.The authentication is performed by the LSA in session 0.
L'elaborazione di CryptoAPI viene eseguita in LSA (Lsass. exe).The CryptoAPI processing is performed in the LSA (Lsass.exe).Questo è possibile perché il redirector RDP (Rdpdr. sys) consente il contesto per ogni sessione, invece che per processo.This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
I componenti WinScard e SCRedir, che erano moduli separati nei sistemi operativi precedenti a WindowsVista, ora sono inclusi in un modulo.The WinScard and SCRedir components, which were separate modules in operating systems earlier than WindowsVista, are now included in one module.La raccolta ScHelper è un wrapper CryptoAPI specifico del protocollo Kerberos.The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
La decisione di reindirizzamento viene eseguita su una base di contesto per Smart Card, in base alla sessione del thread che esegue la chiamata SCardEstablishContext.The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
Le modifiche apportate all'implementazione di WinSCard. dll sono state effettuate in WindowsVista per migliorare il reindirizzamento delle smart card.Changes to WinSCard.dll implementation were made in WindowsVista to improve smart card redirection.

Esperienza di accesso Single Server Host sessione Desktop remotoRD Session Host server single sign-in experience

Come parte della conformità ai criteri comuni, il client RDC deve essere configurato per usare Gestione credenziali per acquisire e salvare la password o il PIN della smart card dell'utente.As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN.La conformità ai criteri comuni richiede che le applicazioni non abbiano accesso diretto alla password o al PIN dell'utente.Common Criteria compliance requires that applications not have direct access to the user's password or PIN.

Criteri comuni la conformità richiede in modo specifico che la password o il PIN non lascino mai il codice LSA non crittografato.Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted.Uno scenario distribuito dovrebbe consentire alla password o al PIN di spostarsi tra un LSA attendibile e un altro e non può essere crittografato durante il trasporto.A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.

Quando SSO (Single Sign-in) abilitato per smart card viene usato per le sessioni di Servizi Desktop remoto, gli utenti devono ancora eseguire l'accesso per ogni nuova sessione di Servizi Desktop remoto.When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session.Tuttavia, all'utente non viene richiesto più di una volta un PIN per stabilire una sessione di Servizi Desktop remoto.However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session.Ad esempio, dopo che l'utente fa doppio clic sull'icona di un documento di Microsoft Word che si trova in un computer remoto, viene chiesto di immettere un PIN.For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN.Questo PIN viene inviato utilizzando un canale sicuro che l'SSP delle credenziali ha stabilito.This PIN is sent by using a secure channel that the credential SSP has established.Il PIN viene indirizzato di nuovo al client RDC sul canale sicuro e inviato a Winlogon.The PIN is routed back to the RDC client over the secure channel and sent to Winlogon.L'utente non riceve ulteriori richieste per il PIN, a meno che il PIN non sia corretto o che non ci siano errori correlati alla smart card.The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.

Servizi Desktop remoto e accesso smart cardRemote Desktop Services and smart card sign-in

I Servizi Desktop remoto consentono agli utenti di accedere con una smart card immettendo un PIN nel computer client RDC e inviarlo al server Host sessione Desktop remoto in modo simile all'autenticazione basato sul nome utente e la password.Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.

Inoltre, le impostazioni dei criteri di gruppo specifiche per i Servizi Desktop remoto devono essere abilitate per l'accesso basato su smart card.In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.

Per abilitare l'accesso tramite smart card a un server Host sessione Desktop remoto, il certificato KDC (Key Distribution Center) deve essere presente nel computer client RDC.To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer.Se il computer non si trova nello stesso dominio o gruppo di lavoro, è possibile usare il comando seguente per distribuire il certificato:If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:

certutil-dspublish ntauthca 'DSCDPContainer'certutil -dspublish NTAuthCA 'DSCDPContainer'

Il nome comune di DSCDPContainer (CN) è in genere il nome dell'autorità di certificazione.The DSCDPContainer Common Name (CN) is usually the name of the certification authority.

Esempio:Example:

certutil-dspublish ntauthca<CertFile>'CN = NTAuthCertificates, CN = Public Key Services, CN = Services, CN = Configuration, DC = Engineering, DC = contoso, DC = com'certutil -dspublish NTAuthCA<CertFile>'CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com'

Per informazioni su questa opzione per lo strumento della riga di comando, vedere -dspublish.For information about this option for the command-line tool, see -dsPublish.

Servizi Desktop remoto e accesso smart card in più dominiRemote Desktop Services and smart card sign-in across domains

Per consentire l'accesso remoto alle risorse in un'organizzazione, è necessario eseguire il provisioning del certificato radice per il dominio nella smart card.To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card.Da un computer collegato a un dominio eseguire il comando seguente alla riga di comando:From a computer that is joined to a domain, run the following command at the command line:

certutil-aggiornamento di scrootscertutil -scroots update

Per informazioni su questa opzione per lo strumento della riga di comando, vedere -SCRoots.For information about this option for the command-line tool, see -SCRoots.

Per i servizi desktop remoti in più domini, il certificato KDC del server Host sessione Desktop remoto deve essere presente anche nello Store NTAUTH del computer client.For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store.Per aggiungere lo Store, eseguire il comando seguente alla riga di comando:To add the store, run the following command at the command line:

certutil-addstore-enterprise NTAuth<CertFile>certutil -addstore -enterprise NTAUTH<CertFile>

Dove < CertFile > è il certificato radice dell'autorità di certificazione del certificato KDC.Where <CertFile> is the root certificate of the KDC certificate issuer.

Per informazioni su questa opzione per lo strumento della riga di comando, vedere -addstore.For information about this option for the command-line tool, see -addstore.

**** Nota se si usa il provider di servizi condivisi delle credenziali nei computer che eseguono le versioni supportate del sistema operativo designate nell'elenco si applica a all'inizio di questo argomento: per accedere con una smart card da un computer non aggiunta a un dominio, la smart card deve contenere la certificazione radice del controller di dominio.Note If you use the credential SSP on computers running the supported versions of the operating system that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller.Non è possibile stabilire un canale sicuro di infrastruttura a chiave pubblica (PKI) senza la certificazione radice del controller di dominio.A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.

L'accesso a Servizi Desktop remoti in un dominio funziona solo se l'UPN nel certificato usa il formato seguente: <clientname>@<DomainDNSName>Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>

L'UPN nel certificato deve includere un dominio che può essere risolto.The UPN in the certificate must include a domain that can be resolved.In caso contrario, il protocollo Kerberos non può determinare il dominio da contattare.Otherwise, the Kerberos protocol cannot determine which domain to contact.Per risolvere il problema, è possibile abilitare gli hint per il dominio X509.You can resolve this issue by enabling GPO X509 domain hints.Per altre informazioni su questa impostazione, vedere criteri di gruppo per smart card e impostazioni del registro di sistema.For more information about this setting, see Smart Card Group Policy and Registry Settings.

8fz.netlify.com