TSG & Smart Cards 1

[ckugo]

I have setup a Windows 2008 server with TS Gateway and a Windows 2003 Terminal Server. Everything works great when we use username / password for authentication.

I recently purchased a couple smart cards for testing with hopes of deploying them to my remote users. The smart cards work great for local terminal sessions and local logins. However, when I use the smart card in conjunction with TSG I run into an issue.

The smart card will authenticate with the TSG, but it will not passthrough to the terminal server. The terminal server still prompts you for a username and password. In the ts client I have selected to use the same credentials for the gateway and remote computer. And device redirection should also be setup properly since it is working locally.


Has anyone ran into this before?

Thanks so much,
Chris

 

[technome]

Chris...
Really interested in the answer as I will be in the same situation in a week.
Which Smart Card system are you using ? trying to get a few answers from Actividentity at this time about USB stick devices.
At the moment I have a "new technology sucks" attitude. or %-)

Some rambling...
Primarily I am worried about remotes getting key-loggers
This year I was called in on a small network saturated with them, every machine had at least 3, including the server. Hacker was in for about a month before I got there, merrily grabbing credit card and bank PINS for the Christmas holidays...using the server on off hours to purchase everything you could possible want for Christmas... for the wife, kids, Tom, Dick and Harry. End result, he had created brush fires, by manipulating programs, so the entire network had to be crushed and rebuilt.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[ckugo]

I am using the Omnikey 3121 with the Multos 32KB cards with PKI middleware. I cannot say that I would suggest this product yet as I am not sure if my issues are TSG and W2K8 related or card middleware related. Other than my TSG problems, it has been a good experience so far. The cards were easy to populate with certs and like I mentioned, the local logins for Windows 2003 and prior work great.

I have confirmed with the manufacturer that the current middleware does not support local logins for Vista and Windows 2008.

So that is where the problem gets a little fuzzy. Is the issue in the middleware? Or that the tsg is not passing the credentials on. The smart card will authenticate with the tsg, so the 2008 box can read the card.

Thanks,
Chris

 

[technome]

Wish I had some answers for you.

"... as I am not sure if my issues are TSG and W2K8 related or card middleware related."

This is type issue which scares me, I have already spent two days researching, I do not want to spend days on days getting the USB devices to work properly. As a Consultant it is hard to bill for such issues on a small network.

With Actividentity, so far it looks like >$1300.00 to start for ten users. Odd pricing, they require a minimum purchase of 25 cards or USB Token keys (roughly $725.00) which my client and I can live with IF I do not spend days pulling my hair out getting them to work.
Neat part is the USB devices (or cards) have a number display which you must enter a new number every time a user logs in, so if I have an OS auto logoff after say 20-25 minutes idle, it would make it real hard for a hacker. Without the changing number, either the card or USB device remains in the machine and a keylogger could be effective, if a hacker was able to take over a machine in the background ( a little paranoid, but the network is to complex to rebuild quickly).
Still waiting for a few questions to be answered by Actividentity.
I was looking into RSA SecurID, according to the sales rep, you actually must use your actual Windows login name and password at some point..exactly what I am trying to avoid.

Will let you know how I progress, and if it becomes retrogression.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[technome]

Update...
Went with Vasco Digikey 860, (Actividenty was getting real expensive), but I have the opposite problem. It will do a local login, works well capturing logins to programs I use, but so far it will not capture the logon information for any RDP... part of the issue is we are using the latest RDP client, and I do not think it was tested with it; an older RDP version works with a client who has Win 2003.



........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[technome]

Update...
What a relief
Finally the Vasco Digipass860 keys work with Windows logon, programs, and most critical, Windows 2008 Terminal Server via the RDP 6.1 client. Basically very easy to get going BUT I had to to figure out critical parts myself.
Did I mention I hate new technology ?

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[technome]

Retested this morning, the Digipass 860s are not capturing the Windows Terminal credentials so these units are not capatible with the RDP 6 and 6.1 RDP clients. Back to ground zero.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm