none
Remote Desktop + Smartcard on unjoined Windows 7 Home = Kerberos error RRS feed

  • Question

  • I have a Windows 7 Home system that is connected by IKEv2 VPN to another network served by strongSwan.  The VPN also uses the smartcard to authenticate.  So I do have the server's root CA in my local machine's trusted root CA store, and it is capable of using the card in general.  Once connected, the kinit that comes with Oracle Java can also be used to get a ticket for my username.  So time sync must be good.

    The problem comes with Remote Desktop.  Attempting to connect to an inside system with RD using the smartcard causes the message "The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem."

    Tracing the packets seen by Windows Server 2016, I see that the client sends an as-req to the KDC, and it is asking for the correct principal name, but the request contains no preauth information (ie the certificate).  The server correctly responds with "preauth required" and includes PKINIT as an auth choice.  No further communication with the KDC is attempted.

    Attempts to make this work have included using ksetup on the client system to define the default realm and set a KDC.

    What is needed to make the client send a properly formed ticket request?

    Friday, October 13, 2017 7:34 PM

Answers

  • It turns out that the Home system was indeed attempting further authentication with the PKINIT credentials, but the VPN server dropped the packets due to fragmentation.  Clamping the maximum segment size allowed Kerberos negotiations to continue until a ticket was finally issued.  RDP and even file sharing using the smartcard now work.
    • Marked as answer by AmateurSysadm Thursday, October 26, 2017 7:27 PM
    Thursday, October 26, 2017 7:27 PM