DameWare Home  |   Community  |   Sales  |   Resellers  |   Contact Us  
Article - #300080   

 

Remote Smart Card Authentication and Interactive Smart Card Login using DameWare Development software

 
The information in this article applies to:
  • DameWare NT Utilities - Version(s) 5.5 and above
    •
  • DameWare Mini Remote Control
    • - Version(s) 5.5 and above

 

The use of Smart Cards for user authentication is considered by Microsoft to be the strongest form of authentication in the Windows Server 2003 family, and combines the use of something physical (Smart Card) with confidential information (PIN) to provide what is known as "two-factor authentication."  A smart card is a small plastic card, about the size of a "credit card," that typically contains a small embedded computer chip (microchip), instead of the magnetic stripe found in traditional credit cards.

In accordance with U.S. President George Bush's Homeland Security Presidential Directive 12 (HSPD-12), all federal agencies are required to implement Smart Card logon to access government information systems (http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html).  Due to the lack of remote administration tools that provide remote Smart Card access, complying with this directive greatly restricts the ability of Administrators to perform remote administration tasks in this new Smart Card environment.

That was the case until version 5.5 of DameWare Development's software suite was released.

In 2006, DameWare Development was contacted by members of the U.S. Military and asked to provide a Smart Card solution for the new CAC (Common Access Card) environment.  Wanted was a solution that would not only satisfy current security requirements, but also satisfy future security requirements of existing DOD customers.  DameWare Development graciously accepted the challenge and stepped up to the plate, becoming the first third-party remote administration software to provide Interactive Smart Card Login, as well as remote Smart Card Authentication.  Users of DameWare Mini Remote Control (DMRC) software now have the ability to access remote machines via their Smart Card and interactively enter the PIN to login, just as if they physically walked up to the console of the remote machine.  This has been a major undertaking and accomplishment for DameWare's development team, and reports are numerous about the tremendous impact this version of the software has had on users in the Military and the DOD.

DameWare Development's software was tested by the U.S. Army within their strict environment, and proved to meet all requirements while exceeding all expectations.  At the time of this writing, this release of DameWare Development's software is the only known remote administration tool that is completely CAC (Common Access Card) compliant as well as AGM (Army Gold Master) 6.0 compliant and compatible.  One Army representative stated,

"Bottom line is, this version of the software has worked flawlessly for us even with our strict requirements.   We are not aware of any similar product that meets all these requirements."

Also, unlike other remote administration tools that advertise the ability to remotely authenticate users via a Smart Card, the DMRC program not only has the ability to perform remote Smart Card Authentication, but also the ability to perform Interactive Smart Card logins.  This means that users of the DMRC software can access remote machines while they are at the Logon Desktop and interactively login using their PIN, just as if they were physically at the console of the remote machine.  Remote Smart Card Authentication and Interactive Login within DameWare Development software also does not require any type of Smart Card Middleware, and  does not even require a Smart Card reader attached to the remote machine.

 

Requirements & Important Notes:

1.  According to Microsoft, Smart Card Login & Authentication is only supported on Windows 2000 and above, including:

  • Windows 2000 Workstation
  • Windows 2000 Server
  • Windows XP Professional
  • Windows 2003 Server
  • Windows Vista

2.  Other than Microsoft's implemented Smart Card Services (scardsvr), no additional middleware is directly required by DameWare software for Smart Card Authentication & Login.

3.  A Smart Card reader is not required on  the remote machine.

4.   The Operating System and network implementation must be configured properly for Smart Card authentication.  The Smart Card & PIN must have sufficient rights to Login to the remote machine.  Unfortunately, DameWare's support department does not provide training seminars on how to implement and configure a Smart Card environment.  However, the following Smart Card documentation on Microsoft's website may be helpful.

Various Microsoft Smart Card articles
http://search.technet.microsoft.com/search/default.aspx?siteId=1&tab=0&query=smart+card

The Secure Access Using Smart Cards Planning Guide
http://www.microsoft.com/technet/security/topics/networksecurity/securesmartcards/default.mspx

The Smart Card Deployment Cookbook
http://www.microsoft.com/technet/security/topics/identitymanagement/smrtcdcb/default.mspx

Smart Card Concepts
http://www.microsoft.com/technet/security/topics/identitymanagement/smrtcdcb/sec1/smartc02.mspx
 

5.   A Smart Card reader must be installed on the local machine.

6.  According to Microsoft's Requirements, if the "Net Use" command can be successfully executed to access a remote machine using a Smart Card, the user should also have the ability to install, remove, start, or stop the DMRC Client Agent Service, or successfully use DNTU's LogonAs feature, via Smart Card authentication. 

7.  According to Microsoft, Smart Card Authentication to Active Directory requires that Smart Card workstations, Active Directory, and Active Directory Domain Controllers be configured properly.  Active Directory must trust a certification authority to authenticate users based on certificates from that CA.  Both Smart Card workstations and Domain Controllers must be configured with correctly configured certificates.

8.  When using the Smart Card authentication method to interactively login via the DMRC program, a "New Hardware Found" notification may be displayed on the remote machine after the DameWare Virtual Smart Card reader is inserted on the user's behalf.  Unfortunately this behavior is beyond DameWare's control.
 

 

Known Issues:

1.  When attempting to connect via Smart Card Login, (also applies to "Reconnect on Ping" via Smart Card Login) authentication may fail.  This is because TCP is one of the first Protocols/Services to start on a machine.  However other Services such as Microsoft's Smart Card Services (SCardSvr), Server Service, or NetLogon Service, may not have fully initialized yet.  Therefore, it may be necessary to try the logon again in a short time.  The DMRC program's "Reconnect on Ping" functionality also allows for the specification of a "Connect Delay" interval before attempting to reconnect.

2.  Although Smart Card was designed to be supported in Windows 2000 and above, some strange quirks under Windows 2000 have been discovered, which may or may not allow the PIN dialog to be displayed after a connection is made.  In order to resolve this behavior, take one of the following actions:

  • Attach a Smart Card reader to the remote machine.
  • In some cases disconnecting and reconnecting a few times resolves the issue.
  • This behavior may also depend on the specific reader and version of the reader's driver.  Verify the latest driver directly from the manufacturer is installed.
  • The following hotfix from Microsoft may be needed. 

    A Windows 2000-based computer no longer recognizes a USB smart card reader
    http://support.microsoft.com/kb/901107
Knowledgebase Article: #300080
Category: How To Guides
O/S Info: Windows 2000, XP, 2003, Vista, 2008, & Windows 7 only
Last Revised: Wednesday, November 01, 2006
Keywords: smartcard, cac, pki, smart card, login, authentication
Decription: Information about Remote Smart Card Login & Authentication in DameWare Mini Remote Control & DameWare NT Utilities.
How would you rate this article?
 12345678910 
Not HelpfulVery Helpful
Please tell us why you are rating this article this way.
If you need to enter a URL please remove "http://".
Please note: this field is required for negative responses.
No HTML please.                          
 
12345678910
Average rating:  8.9 out of 10.
50 people have rated this article.
Page Options
Print this article
Email this article
Rate this article
   ©1991-2010 DameWare Development LLC, All rights reserved.
    Privacy Statement  |  Trademarks  |  End of Life