Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:35 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Jun 01, 2015 4:58 pm 
Offline

Joined: Thu Jan 08, 2015 6:58 pm
Posts: 4
We have an environment where we use smartcards to log in to remote resources. It works just fine when we try to remote desktop from a machine that is domain joined, but does not work at our homes or on personal machines brought to work.

Things start working from home when we disable NLA though... but we would like to use NLA for an extra layer of security. OR if we leave NLA on, but only use a username and password it works (but again, we want to use smartcards for the extra layer of security with multifactor blah blah blah).

Stuff I have tried that has not worked:

Installing the internal Domain CA's certs to the off-domain machine and user cert store.

Issuing a "real" certificate from a major 3rd party CA and configuring RDS to use this certificate.

Tweaked some certificate properties, tested CRL paths off-location, anything I could find on BI-NGLE that was related... (shot-in-the-dark methods).

I wrote on the Technet forum (https://social.technet.microsoft.com/Fo ... inserverTS), and "Amy" from Microsoft wrote:
"Based on my research, if we use the credential SSP(with NLA enabled) to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller."

So two questions:
1) anyone solved this, and if so, how?
2) Assuming no one has, does anyone know how to import a Root Cert from a domain controller onto the key along with my personal cert?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Dec 04, 2015 10:11 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Hello,

Did you solved this issue?


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 29, 2017 9:30 pm 
Offline

Joined: Tue Aug 29, 2017 9:22 pm
Posts: 2
I just came across this topic while searching to accomplish the same thing.

I read through the technet article and the certutil won't work since the card is read is read only to it.

Is there a way to use the PIV manager to add the root certificate as suggested or a way to unlock the card so that certutil can be used?
Any other ideas?


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 30, 2017 5:11 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
This can't be done with the Microsoft inbox class minidriver, a vendor specific minidriver is required. We are working on one, but can't provide an ETA at this time.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 31, 2017 2:53 pm 
Offline

Joined: Tue Aug 29, 2017 9:22 pm
Posts: 2
Thanks for the response.
I tried changing HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors to 1 and that allows it to work.
I am still looking for a way that will allow it to work without changing anything on the client side.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group