Bug 3393 - smart card single sign-on with AD for Windows 2008
Summary: smart card single sign-on with AD for Windows 2008
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: | rdesktop (deprecated) (show other bugs)
Version: 3.0.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.1.0
Assignee: Henrik Andersson
URL:
Keywords: ossman_tester
: 4500 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-01-07 13:03 CET by Peter Åstrand
Modified: 2013-06-25 16:46 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Peter Åstrand cendio 2010-01-07 13:03:34 CET
Just for completeness. This is the continuation of bug 2743 but for Windows 2008. As bug 2743, the new Windows versions actually has support for accepting the PIN over RDP. There's a flag in the TS_INFO_PACKET called INFO_PASSWORD_IS_SC_PIN.
Comment 1 Henrik Andersson cendio 2012-12-05 11:05:16 CET
*** Bug 4500 has been marked as a duplicate of this bug. ***
Comment 2 Henrik Andersson cendio 2012-12-20 16:27:47 CET
A simple hack just adding the INFO_PASSWORD_IS_SC_PIN flag show this
works as expected...

Anything you pass in userfield is ignored and if more then 2 smartcards
is available user needs to select which to use. I only one card is available
it is used for SSO using pin from password argument.
Comment 3 Henrik Andersson cendio 2012-12-20 17:35:13 CET
Upstream commit r1687 includes this flag for use.
Comment 4 Henrik Andersson cendio 2013-01-07 09:21:07 CET
I have tried to send CN and subject as username to control what card to be used for logon but it seem there is no way to control that. So if more then one card is available for authentication SSO will not work and user need to select which card to use.
Comment 5 Henrik Andersson cendio 2013-01-07 11:19:03 CET
Vendordrop commit r26355
Comment 6 Henrik Andersson cendio 2013-01-07 11:45:48 CET
Commit 26356 adds support for the new rdesktop argument to
pass pin as password to tl-run-rdesktop.

Briefly tested with and without card logon and it seems to work
as expected.
Comment 7 Henrik Andersson cendio 2013-02-05 09:21:50 CET
Tester should verify the functionality, see comment #3 on bug #4498
for information about how to setup smartcard authentication for users
in Active Directory with thrid party CA / certificates.
Comment 8 Henrik Andersson cendio 2013-03-18 12:58:51 CET
Upstream commit r1697 makes sure that CredSSP is not used when smartcard
SSO (pin as password) is used.
Comment 9 Pierre Ossman cendio 2013-06-25 16:46:34 CEST
Lightly tested and seems to work. Can't reliably do proper testing when our backend Windows systems exhibit so unpredictable behaviour for smart card auth.

Note You need to log in before you can comment on or make changes to this bug.