Start a new topic
Answered

Proper cred setup for smartcard RDP logon from MacOS

I have a MacOS 10.12 machine with Apple Enterprise Connect.


I'm testing RoyalTS to determine is it will allow me to smartcard authenticate via RDP.


I have smartcard redirection enabled, and it works, but, I cannot figure out the proper credentials setup for what I need.  I "need" to get to the server logon screen, and allow me to enter the PIN of my smartcard, but, everything that I've tried with the credentials setup makes me input a username and password.  If I go ahead, and enter my username and password information, the server responds with, "Smartcard must be used for logon", which it should, and then I may select "Other User" and the logon screen, select my smartcard, and enter my pin, and the logon continues.  I'd gladly continue to work that way, but in a very short time, my account in AD will be set to "Smart card only" and I will not have a password.


Is there a manner to setup a RoyalTS RDP connection to take me to the desktop? or any other method to perform what I need?


Thank you!

Joe


Best Answer

Okay, a few points here:

With NLA enabled, username and password are required. That's enforced by the protocol and there's no way around it as far as I know.

Whether or not NLA is used depends on a few things:

* The server might be configured to require it. In that case, we can't connect without NLA.

* You might have it enabled in Royal TSX. In that case we always try to connect with NLA which means you need to specify a username and password.


When you disable NLA in Royal TSX we first try to connect to the server without NLA. If that connection attempt fails, we attempt to connect with NLA enabled. So that would explain why you're seeing the credential prompt in Royal TSX even when NLA is disabled.


So my suspicion is that the server requires NLA which makes it impossible to connect to it without specifying a username and password.


1 person has this question

Hey Joe,


I'm not aware of any way to pass a pin for a smartcard to an RDP session. I guess your best option would be to leave the username in place but remove the password from your connection.

That way the correct user should be pre-selected on the logon screen and you just have to insert your smart card and enter your pin to continue.


Does that work for you?


cheers,

felix

That would work great to just input the user account, but I just can't get that to work.  If I only place the user account into the credentials dialog box, it prompts me to enter a password.  If I ignore that, and select "connect", it spins for a bit, then the RoyalTS dialog prompts me again for password.  


I've tried clearing the NLA check box, and about every combination that I could think of in the credential dialog, but I just cannot figure out how to make RoyalTS just get me to the logon screen.  If I could get there, I'd be fine, I'd manually logon with the smartcard from that point.


Any suggestions are greatly appreciated!


Joe 

Answer

Okay, a few points here:

With NLA enabled, username and password are required. That's enforced by the protocol and there's no way around it as far as I know.

Whether or not NLA is used depends on a few things:

* The server might be configured to require it. In that case, we can't connect without NLA.

* You might have it enabled in Royal TSX. In that case we always try to connect with NLA which means you need to specify a username and password.


When you disable NLA in Royal TSX we first try to connect to the server without NLA. If that connection attempt fails, we attempt to connect with NLA enabled. So that would explain why you're seeing the credential prompt in Royal TSX even when NLA is disabled.


So my suspicion is that the server requires NLA which makes it impossible to connect to it without specifying a username and password.

Hi Joe,


have you been able to resolve the problem?


thx,

felix

Login or Signup to post a comment