3

I already setup active directory to enable SmartCard logon, and could logon to the Windows through the login screen by PIN.

I'm looking to find the way to logon with new session or Unlock the active session remotely. I found http://www.pkcs11interop.net/ looks really cool tools. So I spent couple of times to read documents to find the solution. I implemented the service which could communicate remotley, also I could initialize the library and create session with login/logut, But couldn't find a way how to logon to the windows or unlock active session. Is anyone knows how I could reach this approach?

I need to do this through the C# code.

Peyman
  • 3,068
  • 1
  • 18
  • 32
  • Based on your description I assume you are talking about an RDP session, right? Or are you talking about a authentication session (e.g. for CIFS access). – Robert Sep 27 '19 at 11:26
  • No RDP, I want to logon to the windows remotely by SmartCard. So if already logged on and lock the windows, must be able to unlock the windows with existing session @Robert – Peyman Sep 27 '19 at 11:33
  • Is your active directory environment prepared for smartcard authentication? For a lot of smart card also special client software has to be rolled-out (smartcard credentials provider). – Robert Sep 27 '19 at 11:37
  • Yes AD already configured and I could use SmardCard to login to the windows. But I need to do it remotely through the code. – Peyman Sep 27 '19 at 11:40
  • 1
    If you have a working environment you should already have a smartcard credentials provider integrtaed into Windows. PKCS#11 is AFAIK the wrong approach, the login system does not make use of it. It has it's own API (as I wrote the smartcard credentials provider). – Robert Sep 27 '19 at 11:45
  • Thanks @Robert, but as I understand, by PKCS#11 could trigger the SmartCard API. so I assume should be some way to simulate the logon procedure (not sure) – Peyman Sep 27 '19 at 11:58
  • @Robert, do you know any good sample of custom credential provider which working fine with Smart Card & AD? If so, appreciate you if could share it here. Thanks – Peyman Oct 05 '19 at 13:45
  • @Penyman sorry but credentials provider I only know from a users perspective. – Robert Oct 05 '19 at 14:01

1 Answers1

1

I've never attempt to do it, but I point you to the documentation on MSDN:

Smart Card and Remote Desktop Services

In the specific,

Remote Desktop redirection Notes about the redirection model:

This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs net use /smartcard.

Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.

The authentication is performed by the LSA in session 0.

The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.

The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.

The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.

madduci
  • 2,635
  • 1
  • 32
  • 51
  • Thanks @madduci, already saw this one but it's not the one Im looking for. I need to handle it through the code. I guess it's doable by Pkcs11Interop but nor sure.Actually I don't want to RDP to the machine. – Peyman Sep 27 '19 at 11:42
  • It should be configured in AD? and that is already remote by definition? you should only need to follow [guidelines](https://support.microsoft.com/fr-dz/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio) – Gillsoft AB Sep 29 '19 at 17:04
  • Thanks @GillsoftAB, I already setup AD and could login by SmartCard, I want to simulate same procedure in code. – Peyman Sep 29 '19 at 23:40
  • Did you use the logger to see what’s communicated over the wire? Usually that gives a better understanding of what’s missing. [logger part](https://github.com/Pkcs11Interop/Pkcs11Interop/blob/5.0.0/doc/TROUBLESHOOTING.md) – Gillsoft AB Sep 30 '19 at 05:59
  • There is no error or problem in log. Just I don't have any idea how to unlock the windows through my code and by using installed smart card. @GillsoftAB – Peyman Sep 30 '19 at 15:43
  • Then what’s wrong with: [Login Test](https://github.com/Pkcs11Interop/Pkcs11Interop/blob/5.0.0/src/Pkcs11Interop.Tests/HighLevelAPI/_08_LoginTest.cs) – Gillsoft AB Sep 30 '19 at 15:48
  • If you don't have a HSM it will not work, by simulate I suppose you are looking for https://github.com/opendnssec/SoftHSMv2. Normally you should not be able to do anything unless the code is compiled to a .dll. The remote machine needs to have a driver that get data from the SmartCard device and meet all AD requirements. It sounds like you are trying to bypass the SmartCard device login? The purpose of this system / standard is exactly for preventing actions like that. As said before it is not a programming issue, but an AD issue. – Gillsoft AB Sep 30 '19 at 16:31
  • Maybe you are looking for this? https://learn.microsoft.com/sv-se/windows/win32/secauthn/authentication-functions?redirectedfrom=MSDN#logon-user-functions – Gillsoft AB Sep 30 '19 at 16:41