locked
NLA or Smartcards, but not both for non-domain joined clients RRS feed

  • Question

  • We have an environment where we use smartcards to log in to remote resources. It works just fine when we try to remote desktop from a machine that is domain joined, but does not work at our homes or on personal machines brought to work.

    Things start working from home when we disable NLA though... but we would like to use NLA for an extra layer of security. OR if we leave NLA on, but only use a username and password it works (but again, we want to use smartcards for the extra layer of security with multifactor blah blah blah).

    Stuff I have tried that has not worked:

    Installing the internal Domain CA's certs to the off-domain machine and user cert store.

    Issuing a "real" certificate from a major 3rd party CA and configuring RDS to use this certificate.

    Tweaked some certificate properties, tested CRL paths off-location, anything I could find on BI-NGLE that was related... (shot-in-the-dark methods).

    Any ideas out there that I have missed?

    Thursday, May 28, 2015 5:42 PM

Answers

  • Hi Bryan,

    Just checked the article again:

    “For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the Windows Vista–based client computer's NTAUTH store. To add the store, run the following at the command line:

    certutil –addstore –enterprise NTAUTH <CertFile>

    Where <CertFile> is the root certificate of the KDC certificate issuer.”

    Please try to replace <CertFile> with your smart card vendor’s root certificate, then update it into the smart card with the command line below:

    certutil –scroots update

    If commands above don’t work, please wait for response from the smart card vendor support.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Tuesday, June 2, 2015 7:05 AM
    • Proposed as answer by Amy Wang_ Tuesday, June 9, 2015 7:21 AM
    • Marked as answer by Amy Wang_ Wednesday, June 10, 2015 1:30 AM
    Tuesday, June 2, 2015 7:04 AM

All replies

  • Hi Bryan,

    Based on my research, if we use the credential SSP(with NLA enabled) to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.

    In addition, Remote Desktop Services logon across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>.

    For more details, please refer to this article below:

    Smart Card and Remote Desktop Services
    https://technet.microsoft.com/en-us/library/ff404286%28WS.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,
    Amy 


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, May 30, 2015 2:19 PM
  • Hi Bryan,

    ... if we use the credential SSP(with NLA enabled) to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. ....

    In addition, Remote Desktop Services logon across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>.

    Best Regards,
    Amy 


    Thanks for the idea.  I read somewhere else that your first suggestion might be the cause, but I didn't see how to install a root CA on my YUBIkey.  (But if you know something I don't know, I would love to hear it).

    As far as the second idea, yep, we have that... it is roughly: username@domainName.forestName.otherdomainstuffhere

    Thanks!

    --Bryan

    (edit:  I have asked the yubico folks on their forum too, http://forum.yubico.com/viewtopic.php?f=23&t=1905 )
    • Edited by Bryan Loveless Monday, June 1, 2015 3:58 PM x-posted to yubico
    Monday, June 1, 2015 3:48 PM
  • Hi Bryan,

    Just checked the article again:

    “For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the Windows Vista–based client computer's NTAUTH store. To add the store, run the following at the command line:

    certutil –addstore –enterprise NTAUTH <CertFile>

    Where <CertFile> is the root certificate of the KDC certificate issuer.”

    Please try to replace <CertFile> with your smart card vendor’s root certificate, then update it into the smart card with the command line below:

    certutil –scroots update

    If commands above don’t work, please wait for response from the smart card vendor support.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Tuesday, June 2, 2015 7:05 AM
    • Proposed as answer by Amy Wang_ Tuesday, June 9, 2015 7:21 AM
    • Marked as answer by Amy Wang_ Wednesday, June 10, 2015 1:30 AM
    Tuesday, June 2, 2015 7:04 AM
  • <snip>

    certutil –addstore –enterprise NTAUTH <CertFile>

    Where <CertFile> is the root certificate of the KDC certificate issuer.”

    <snip>

    So the problem we would have with this, is that every one of our servers (and the default action is to) use(s) a self-signed cert as the certificate it uses for the RDP server.   So to do this, we would need to either add all of the self-signed certs to the off-domain machine (every 6 months as they change), or to reissue all the RDS certificates to use our in-house CA... right?  Or is there a simpler method that I am missing?

    Tuesday, June 2, 2015 9:17 PM
  • Hi Bryan,

    we would need to either add all of the self-signed certs to the off-domain machine (every 6 months as they change), or to reissue all the RDS certificates to use our in-house CA... right?  Or is there a simpler method that I am missing?

    You can purchase certificates from public CAs, which are automatically trusted.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 9, 2015 7:24 AM
  • Hi Bryan,

    we would need to either add all of the self-signed certs to the off-domain machine (every 6 months as they change), or to reissue all the RDS certificates to use our in-house CA... right?  Or is there a simpler method that I am missing?

    You can purchase certificates from public CAs, which are automatically trusted.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    yes, so still distribute a trusted cert (from 3rd party or from in house) to all the RD servers, along with having to change them out when they expire... hmm...  so that is a bummer.
    Tuesday, June 9, 2015 9:33 PM
  • Hi Bryan,

    Have you managed with the problem?

    I'm trying to solve puzzle on my infrastructure, tried all tricks with certificates, read all articles about this problem - no use

    Everything works fine until you try to connect from not joined machine.

    Then I got error: "The Kerberos protocol encountered an error while validating the KDC certificate during smartcard logon."

    Sunday, August 23, 2015 12:36 AM
  • No new info.... 

    It appears you either have to get all of your non-domain machines to accept your CA's cert that cade the client certs (so touching every device you want to use) or you can just turn off NLA.

    We have an external Cert company, but they will not issue us SmartCard certs for some reason, so the "preferred" option is not available to us.

    Maybe Microsoft will have a solution in the future???

    -_Bryan

    Tuesday, August 25, 2015 3:42 PM