Windows 10 RDP smartcard redirection does not work after W2004, kind of

Alar 1 Reputation point
2020-09-22T09:40:13.723+00:00

Hi!
Windows 10 2004 and earlier. As people start to work more and more at home, we (IT staff from trenches) start to have RDP-related problems. One of these is using smartcard redirection. So, user enters at home computer smartcard (Estonian ID Card) and need to use it at work. For identification and signing etc., very convenient. Till applying Windows 2004 (Windows 10 April 2020 feature Update) everything seems to work ok, but after we upgraded computers at work to 2004 … this approach didn’t work anymore on some of computers. But “some” was many enough to start to investigate what is going on. “Service not running” etc. usual error when card is not inserted pops up. Not much to see in events either. On some computers, in other hand, no change, smartcard redirection does work as usual. Host (at home) computers vary – Windows 2004, Windows 1909, even older Windows 10 computers, at work all now W2004. Sure, testing is for us (IT) complicated as we don’t have overlook over home computers. Anyway, there wasn’t obvious connections between Windows exact versions on both ends for getting redirection to work. Yes, services running, yes, smartcard redirection selected on host etc. Then we tried RDP to computer which didn’t work (as descripted before) from another local computer, fine, redirection did work as expected. Then we tried RDP from home to another computer (for same user) and … surprisingly smartcard was identified. Vow. Something related to particular (Windows domain) user!? What could it be? Started to happen after applying Windows 2004. Odd. yes, there is some options to test out more – using on remote side local user, to try remove and create new domain user (on work computer) for same person etc., but … seems to it narrows down to user-something. Even all (I’m aware of) services used is running under system account, related to use (redirection) of smartcard. Sure, there is thousands of details involved, absolutely.
So, here we are. Any ideas what to try?
More thanks, Alar.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,698 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,259 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Yan-MSFT 9,326 Reputation points
    2020-09-23T06:53:45.427+00:00

    Hi,
    From RDS perspective, to make smart card redirection work, you should ensure followings points:

    1. On the target server, please ensure the smart card redirection is not disabled.
      Do not allow smart card redirection
      Do not allow supported Plug and Play device redirection
      https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791794(v=ws.10)?redirectedfrom=MSDN

    2.On home/client computers, when start remoting via mstsc, kindly check redirection option under local resource.

    3.Kindly let us know if the issue only occurred for clients with Win10 2004 and whether or not they have been patched with latest update.

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

  2. Alar 1 Reputation point
    2020-10-20T07:16:19.747+00:00

    Hi!
    (No Answer, just a reply, too long for fitting as reply.)
    Interesting. Home (source, Lenovo Tiny) computer, let’s say – Home, target (destination) computer, let’s say – Work (also Work2, ordinary desktop, and Work3, also Lenovo Tiny). Trying RDP from Home computer to Work computers.
    Not working – Home > Work, ID-card not identified using ID card soft (DigiDoc4), used domain account.
    Not – Home > Work, ID-card not identified using ID card soft (DigiDoc4), used local account.
    Not – Home > Work, ID-card not identified using ID card soft (DigiDoc4), used another user domain account.
    OK – Home > Work2 and Work3, ID-card identified using ID card soft (DigiDoc4).
    OK – WorkX > Work, ID-card identified using ID card soft (DigiDoc4). Meaning, trying RDP from local another work computer to same Work computer in question. Not same domain user, though.
    What interesting, for me, when ID card not recognized by ID soft, some sites, using for authentication ID card PIN, is still accessible (twice is asked PIN1), but sites needed proper (certificates) access (banks etc.), not (this is expected as ID card not recognized, certs not retrieved). So, yes, seems to ID card is in some aspects seeable from Home on Work.
    Some home computers, as I wrote, using RDP accessing work computers from home, not suffer by this problem. Work computers is mostly same conf, all WX 2004. Home computers vary, of course, also by WX version. Seems to no pattern. Some home WX 2004 do work, some not, some 1909 and 1903 work, some not etc.
    Yes, tried switch off firewall on home computer. Not on this particular Work computer, but on one another (suffering by this problem) uninstalled our antivirus soft used on work computers, didn’t make any difference.
    Any further ideas to try?
    More thanks, Alar.

    0 comments