With the latest kerberos + CredSSP implementation only the TSPasswordCreds is supported, however there is also support for delegation of smartcard creds using TSSmartCardCreds for SSO, for more information: http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf
A test environment need to be set up and configured with user certificates and then verify functionality using MS client, then dump the RDP trafic to identify the actual data passed in the pretty anonymous cryptographic service provider (TSCspDataDetail).
How to setup smart card authentication using Windows 2008 R2 AD with third party CA and certificates: Enable CA: -------------- 1. Export CA and user certificates as der: pkcs15-tool -r <ID> > cert.pem openssl x509 -outform der -in cert.pem -out cert.cer 2. Add CA to trusted roots in Active Directory group policy object: edit Default Domain Policy Group Policy and got to, Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policy. Right click "Trusted Root Certification Authorities"->"All Tasks" ->"Import" and select the CA cert to import. 3. The CA cert needs to be added to NTAuth store to be used for logon this is done using following command: certutil -dspublish -f cert_ca.cer NTAuthCA Map user certificate to user object: ------------------------------------- 1. Start "Active Directory Users and Computers" and enable advanced options using menu view->advanced features, then browse to the user you want to enable smartcard logons. rightclick and select "Name Mapping" and on the Certificate tab click add and import the user certificate, actually only Subject and issuer is imported and mapped to user. I have tested this setup using rdesktop to authenticate and logon using local smartcard reader and it works as expected.
To disable the CRL checks which fails on Telia eID card one should add this key, verified and working as expected: HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors More nifty information can be found here: http://technet.microsoft.com/en-us/library/ff404287(v=ws.10).aspx#BKMK_3
Created attachment 465 [details] Implementation of TSSmartCardCreds for CredSSP The missing parts is what exactly the following fields of TSCspDataDetail should contain see following datastructure: TSCspDataDetail ::= SEQUENCE { keySpec [0] INTEGER, cardName [1] OCTET STRING OPTIONAL readerName [2] OCTET STRING OPTIONAL containerName [3] OCTET STRING OPTIONAL cspName [4] OCTET STRING OPTIONAL }
The documentation for CredSSP is found in Microsoft spec MS-CSSP.pdf found at following address: http://msdn.microsoft.com/en-us/library/cc226764.aspx
A few steps forward and i stumble upon following issue: http://blogs.technet.com/b/instan/archive/2012/03/06/event-id-16944-certificate-oid-error-on-domain-controllers-during-a-successful-smartcard-logon.aspx
Here is some useful information on Smart Card authentication for windows: http://technet.microsoft.com/en-us/library/dd277362.aspx
Here is some good source of information for CryptoAPI (CSP) http://technet.microsoft.com/en-us/library/ff404300(v=ws.10).aspx
containerName seem to be the user logon name as stated by following documentation: http://msdn.microsoft.com/en-us/library/ms867086.aspx
Looks like i have managed to work this out, for now 2 parameters needs to be passed as arguments for smartcard SSO using CredSSP; CSP name and the Reader name. CSP Name is specific to Windows and reader names can be fetch from pc/sc, here follows some examples from my test setup with 2 smartcard readers. CSP: 'Net iD - CSP' Reader: 'Gemalto PC Twin Reader 00 00' Reader: 'Gemalto PC Twin Reader 01 00' The CSP name is the "Smartcard Driver name" in windows and we need to provide a tool for extracting this.
Initial implementation of CredSSP smartcard support is now commited upstream in commit r1705
Commit r26892 brings vendordrop of rdesktop into ThinLinc
Microsoft KB on enabling third party CA: http://support.microsoft.com/kb/281245 http://support.microsoft.com/kb/295663
The path referenced in the TAG to find out the CSP name isn't very good. It references the ATR mapping tables in the registry, which isn't always used (tried with Telia's version of Net iD). A better path to look in is where the CSP:s register themselves: HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
Problems in tl-run-rdesktop. Specifying the following: rdesktop_args=-o sc-csp-name="Net iD - CSP" doesn't work as tl-run-rdesktop doesn't support quotes and will blindly separate it on spaces. This can be seen in strace: "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"",
I'm also not getting the reader name in the SSO information: [tluser@dhcp-254-223 ~]$ xprop -root | grep TL_ TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>
(In reply to comment #17) > I'm also not getting the reader name in the SSO information: > > [tluser@dhcp-254-223 ~]$ xprop -root | grep TL_ > TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE > TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted> Moved to correct bug, #4565
(In reply to comment #16) > Problems in tl-run-rdesktop. Specifying the following: > > rdesktop_args=-o sc-csp-name="Net iD - CSP" > > doesn't work as tl-run-rdesktop doesn't support quotes and will blindly > separate it on spaces. This can be seen in strace: > > "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"", Fixed in 27539.
(In reply to comment #15) > The path referenced in the TAG to find out the CSP name isn't very good. It > references the ATR mapping tables in the registry, which isn't always used > (tried with Telia's version of Net iD). > > A better path to look in is where the CSP:s register themselves: > > HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Verified that this is the case for 2008R2, will update the documentation.
(In reply to comment #19) > (In reply to comment #16) > > Problems in tl-run-rdesktop. Specifying the following: > > > > rdesktop_args=-o sc-csp-name="Net iD - CSP" > > > > doesn't work as tl-run-rdesktop doesn't support quotes and will blindly > > separate it on spaces. This can be seen in strace: > > > > "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"", > > Fixed in 27539. Broken when rdesktop_args is missing: Traceback (most recent call last): File "/opt/thinlinc/bin/tl-run-rdesktop", line 580, in oOoO0 iiiI . extend ( shlex . split ( hive . get_string ( "/appservergroups/rdp/%s/rdesktop_args" % appservergroup , [ ] ) ) ) File "/usr/lib64/python2.7/shlex.py", line 279, in split return list(lex) File "/usr/lib64/python2.7/shlex.py", line 269, in next token = self.get_token() File "/usr/lib64/python2.7/shlex.py", line 96, in get_token raw = self.read_token() File "/usr/lib64/python2.7/shlex.py", line 124, in read_token nextchar = self.instream.read(1) AttributeError: 'list' object has no attribute 'read'
(In reply to comment #21) > (In reply to comment #19) > > (In reply to comment #16) > > > Problems in tl-run-rdesktop. Specifying the following: > > > > > > rdesktop_args=-o sc-csp-name="Net iD - CSP" > > > > > > doesn't work as tl-run-rdesktop doesn't support quotes and will blindly > > > separate it on spaces. This can be seen in strace: > > > > > > "/opt/thinlinc/bin/rdesktop", "-o", "sc-csp-name=\"Net", "iD", "-", "CSP\"", > > > > Fixed in 27539. > > Broken when rdesktop_args is missing: > > Traceback (most recent call last): > File "/opt/thinlinc/bin/tl-run-rdesktop", line 580, in oOoO0 > iiiI . extend ( shlex . split ( hive . get_string ( > "/appservergroups/rdp/%s/rdesktop_args" % appservergroup , [ ] ) ) ) > File "/usr/lib64/python2.7/shlex.py", line 279, in split > return list(lex) > File "/usr/lib64/python2.7/shlex.py", line 269, in next > token = self.get_token() > File "/usr/lib64/python2.7/shlex.py", line 96, in get_token > raw = self.read_token() > File "/usr/lib64/python2.7/shlex.py", line 124, in read_token > nextchar = self.instream.read(1) > AttributeError: 'list' object has no attribute 'read' Fixed in 27557.
(In reply to comment #20) > (In reply to comment #15) > > The path referenced in the TAG to find out the CSP name isn't very good. It > > references the ATR mapping tables in the registry, which isn't always used > > (tried with Telia's version of Net iD). > > > > A better path to look in is where the CSP:s register themselves: > > > > HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider > > Verified that this is the case for 2008R2, will update the documentation. Fixed in commit r27558.
God damn Windows. After following all the guides, we are still unable to reconstruct a working system. We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs that it stopped using the UPN from the certificate, but still things failed to work. We tested adding the SITHS UPN to the DC as a new user. This got us further, and now fails with "Access denied" instead. The logs only log a successful login as the relevant user. What does work at this point is logging on to the local WTS on the DC machine. We have no idea why that one works and the independent WTS fails though. So we have no idea how to set up this test environment in the future. It will have to do for now though to finish this round of testing.
Does not work. Unknown as to why. I just get the generic "Could not verify your credentials". Works fine after I manually enter the PIN in the prompt that appears.
Ooops. Wrong domain specified. After that was fixed, it is still broken though. Now I get "The requested keyset does not exist on the smart card." instead.
(In reply to comment #24) > God damn Windows. After following all the guides, we are still unable to > reconstruct a working system. > > We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs > that it stopped using the UPN from the certificate, but still things failed to > work. > > We tested adding the SITHS UPN to the DC as a new user. This got us further, > and now fails with "Access denied" instead. The logs only log a successful > login as the relevant user. > > What does work at this point is logging on to the local WTS on the DC machine. > We have no idea why that one works and the independent WTS fails though. So we > have no idea how to set up this test environment in the future. It will have to > do for now though to finish this round of testing. (In reply to comment #24) > God damn Windows. After following all the guides, we are still unable to > reconstruct a working system. > > We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs > that it stopped using the UPN from the certificate, but still things failed to > work. > > We tested adding the SITHS UPN to the DC as a new user. This got us further, > and now fails with "Access denied" instead. The logs only log a successful > login as the relevant user. > > What does work at this point is logging on to the local WTS on the DC machine. > We have no idea why that one works and the independent WTS fails though. So we > have no idea how to set up this test environment in the future. It will have to > do for now though to finish this round of testing. (In reply to comment #24) > God damn Windows. After following all the guides, we are still unable to > reconstruct a working system. > > We tested UseSubjectAltName (both in the KDC and LSA). We could see in the logs > that it stopped using the UPN from the certificate, but still things failed to > work. > > We tested adding the SITHS UPN to the DC as a new user. This got us further, > and now fails with "Access denied" instead. The logs only log a successful > login as the relevant user. > > What does work at this point is logging on to the local WTS on the DC machine. > We have no idea why that one works and the independent WTS fails though. So we > have no idea how to set up this test environment in the future. It will have to > do for now though to finish this round of testing. I Just installed a new WTS 2008R2 and joined my current test domain, and had no problems with CredSSP+SSO using smartcard, tested with both My own Telia E-Leg and Fredrika SITHS test card. To use subjectAltName for authentication, the UPN suffix should be added to DC by right click ->properties on 'active directory domain and trusts'. Also, one need to change userPrincipleName on the user object using adsi to set the upn stored in cert as alt subject name.
Works as expected.
