16004 Views 13 Replies Latest reply: Feb 3, 2009 4:13 AM by MattyCiii
Unfortunately, MS Remote Desktop Connection for Mac does not support smart card log-in.
However, you may also have a problem with your Mac not recognizing your smart card.
To check if your iMac can read your card, insert the card into the reader and launch "Keychain Access" on your Mac (Applications > Utilities > Keychain Access)
If your card appears as a 'keychain', then your only problem is that MS Remote Desktop Connection for Mac does not support smart card log in.
If your card does not appear as a 'keychain', please go to the link below:
I'm currently looking for an alternative to MS Remote Desktop for Mac that supports smart card log in. I'll post an update if I find one.
Thanks. The link I went to states that prior to 10.5, smart card logins/readers worked. I'm assuming they also used MS Remote Desktop then. Looks like 10.5.5 will have the fixes in it. Is there an organic desktop app that Apple has that I should use instead? I'm not aware of one, hence my using MS RDC.
Maybe rdesktop will work. This is the OpenSource RDC client. It would require using X11 for the display windows.
rdesktop has an -scard option which is why I mention it.
-r scard[:<Scard Name>=<Alias Name>[;<Vendor Name>][,...]]
Enables redirection of one or more smart-cards. You can provide
static name binding between linux and windows. To do this you
can use optional parameters as described: <Scard Name> - device
name in Linux/Unix enviroment, <Alias Name> - device name shown
in Windows enviroment <Vendor Name> - optional device vendor
name. For list of examples run rdesktop without parameters.
You can install rdesktop via MacPorts.org or Fink.com.
However, this is a Unix Command Line based utility, and as with most Unix oriented documentation, it leave a lot to be desired.
If you are interested, maybe you can find a more detailed description how using rdesktop and smart cards via some Google Searches.
Your Mileage May Vary. Object are closer than they appear in the side view mirror. Etc...
I think you need the current version of rdesktop (1.6) for smart card support. Neither MacPorts or Fink has it.
I installed 1.6, and it asks for the PIN, but then doesn't go anywhere after that. It just hangs there. After quitting it and trying again several times, I think I have locked out my card because it gives me an odd failure message that I wasn't getting before.
I've seen some threads that say there are bugs in Leopard's pcsc-lite module that rdesktop calls to use the smartcard, so the problem may be with that.
I couldn't get a newer version of pcsc-lite installed correctly, either.
I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
My instructions for installation:
1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
2. Find out where your X11 libraries are located:
-From the Finder menu, selct "Go" >> "Go to Folder..."
-Type (without the quotes) "/usr/X11", and click "Go"
You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
4. Open the X11 application (should be in your Utilities folder)
5. In the X11 window type the following (without the quotes):
"cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
4. Hit enter. When prompted, enter your administrator password and hit enter.
rdesktop should now be installed in the following folder:
So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
"cd /usr/local/bin && ./rdesktop -r scard your.server.address"
Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
To explore more options with rdesktop, open X11 and type the following (without quotes):
"cd /usr/local/bin && ./rdesktop"
Hit enter and you should get a list of options available to rdesktop.
I get a message back from my server saying: The system could not log you on. An error occurred trying to use this smart card.
It works fine through Fusion and RDC.
Edit: I'm getting lots of console errors:
org.x.startx AUDIT: Thu Nov 13 19:23:14 2008: 44312 X: client 3 rejected from local host (uid 501)
org.x.startx Auth name: MIT-MAGIC-COOKIE-1 ID: -1
org.x.startx Xlib: connection to ".0" refused by server
org.x.startx Xlib: Invalid MIT-MAGIC-COOKIE-1 key
I think I tried to get rdesktop with scard working through MacPorts or Fink and something is messed up.
Message was edited by: Barney-15E
THANKS for the detailed instructions on getting rdesktop installed. I've followed the instructions perfectly. But when I go to launch rdesktop with smartcard log in enabled, I get:
"WARNING: Not compiled with smartcard support"
rdesktop connects fine to another RDP server that does not require smart card login. Likewise, this Mac can connect to a smartcard-authenticated OWA server, so I'm pretty convinced I'm not having any of the typical Leopard/SmartCard issues some have had.
Any thoughts on what I'm doing wrong?
Trying like heck, cannot get rdesktop to work with smart card. I look at rdesktop ./config output and see:
checking PCSC/pcsclite.h usability... no
checking PCSC/pcsclite.h presence... no
checking for PCSC/pcsclite.h... no
I tried to DL and install pcsc-lite, which chokes unless I --disable-libhal...
I've tried to find my way around the makefile but I's just a bit way over my head.
Can you point me in the right direction?
It's all over my head, too. I'm just a monkey at a typewriter...
Anyway...here are my thoughts:
1.) Plug in your card reader
2.) Open Terminal and run this command:
3.) When prompted, enter your admin password. You should see:
Select the approprate token driver:
Enter the number:
4.) Type "1" (without quotes) and press enter, and you should see something like:
Insert your token in: OmniKey CardMan 3121 00 00
Token support updated successfully !
5.) Keep your card reader plugged in and try the rdesktop install instructions again.
THANK YOU SO MUCH, TRON!!!
I did just what you said, and rdesktop ran like a champ. I can place the smart card in the reader and the remote host queries for its PIN, just like when logging in locally or over MS Windoze RDP.
I'm still not 100% there - but I wanted to post my thanks and update progress in this (seemingly impossible) quest.
Status right now:
I recompiled rdesktop with smart card debug, and use Applications --> Console to watch the log output. On the remote host, I have ActiveCard Gold running & configured to log it's output too (using Notepad to read its content...). Presently, though the remote host log on screen knows I'm using a smart card, the ActiveCard Gold does not recognize the smart card/reader. Something is broken along the way...
I'll give it another go later today. I've (re)installed libusb, we'll see if libusb will pass 'the right USB stuff' such that ActiveCard Gold on the host PC sees my smart card/reader...
And if anyone out there has a suggestion, please let me know!
High level architecture:
Mac uses VPN to connect to host network so I can "see" the remote host computer (WinXP SP1). I then use rdesktop to smart-card login to the remote host. Sometimes I wonder why I don't just get off my lazy butt and just drive into work...