Our organization requires smart card authentication or certificates for logging into any systems within our environment. Since smart cards are required, users have no password that they can use for logon to the Remote Desktop website. The smart card required option is critical to our security model and cannot be changed. When users travel they take a standalone laptop that is not part of our domain. We need users to VPN in and access the website to get a pool machine assignment. All of this works fine until users get to the RDWEB site. They get prompted for a user name and password even though they don't have have a password. We need them to authenticate with their smart card. What can we do to make this work?
Passwords seem like a huge vulnerability to be required for a component that might be placed in a DMZ. If a smart card cannot be used, can we put a certificate on the box instead for authentication? A user typed password will not work for us.
We do not want the laptop users take with them to require the domain for authentication. We are not looking for single sign on. The laptop is not being granted any access through the VPN to any system other than the Remote access Gateway and Web site.
Server is Windows Server 2012 running Remote Desktop Services. Pool is using Windows 7 systems. Clients are Windows 7 as well.
- Edited by Oldguard Wednesday, November 27, 2013 9:07 PM
does this help?
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
- Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, December 02, 2013 6:40 AM
- Unmarked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, December 02, 2013 6:41 AM
- Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Monday, December 02, 2013 6:41 AM
- Unmarked as answer by Oldguard Tuesday, December 03, 2013 4:30 PM
So I found errors in the event log that suggest that this cannot be the solution. I think the key point that is over looked is this:
"When users travel they take a standalone laptop that is not part of our domain. We need users to VPN in and access the website to get a pool machine assignment."
When we try this, we fail to connect, and we get an event ID 11 (Source: Security-Kerberos) on the laptop system. The error is:
The Distinguished Name in the subject field of your smartcard logon certificate does not contain enough information to locate the appropriate domain on an unjoined machine. Please contact your system administrator.
We don't want external systems to have any access to our domain controllers in the first place, and I certainly cannot change the way our smartcards are issued, this method is not going to be effective. What I need is for IIS to validate the certificate, and not the laptop the user is taking with them. From our perspective, the lap top is an exposed system and all it should have access to is the the RDWEB website, and the remote desktop session through the remote desktop gateway...
Is there a way to work around this issue?
I am currently hoping I can just accept client certificates on the RDWEB folder in IIS, but I am not sure if that will work with Windows Authentication as the only option. I also found a role under IIS that appears to be for mapping certificates to active directory users. I am hoping some combination of the two will get us where we need to be.
So I think the bottom line is that Microsoft does not support smartcard authentication for remote VDI. There are scenarios where VDI works with smartcards, but those scenarios assume that the client will handle the smartcard authentication making it irrelevant to the server VDI components.
We see this in the way RDWEB handles the authentication. The client must be domain joined and able to translate a certificate into a user kerberos ticket. RDWEB is not really supporting smartcards at all. The client provides the smartcard translation to a kerberos ticket, which VDI uses for authentication. At no time do the server side VDI components get involved in the smartcard authentication process directly.
We also see this with Network Level Authentication, so we anticipate that anyone trying to do smartcard logon to a remote desktop with NLA enabled will find the exact same problem. NLA will work with a user name and password, or a kerberos ticket, but we can find no mechanism where by Network Level Authentication can actually handle smart card logons directly.
From our perspective, the use of technologies like NLA and CAC logon significantly improve the security of networks, and the limitations of the current Microsoft solution make it ineffective for our intended purpose. We hope at some point Microsoft will issue an update to RDWEB and NLA to address these issues, but until then we are probably forced to let this go.
At this point, the Microsoft VDI project is being canceled due to the above concerns. If anyone has information that we have over looked something, I would still like to know for future reference. It would be nice if Microsoft could confirm my assumptions both for my knowledge, and for the knowledge of those who read this thread later. The above analysis should not be consider fact until validated by Microsoft.
This is similar to a problem we are encountering when trying to implement RDS with smart card authentication. We are attempting to use this solution to present certain applications to customers whose computers are not on our domain, but have smart cards that are associated with accounts in our domain. When those customers connect, with their smart card, from a computer on our domain, everything works. When they connect, again, with their smart card, from a computer not on our domain, they are not able to even log into the website.
On the RDWeb server's security logs I see the login attempt as (different domain)\(username) instead of (our domain)\(user).
Is there any way to force IIS to map the smart card to the our domain instead of their client computer's domain?