Nitrokey HSM not recognized on Windows 2016 over RDP

We bought some Nitrokey HSM devices.
One of them is plugged into a server which is running Windows 2016. We installed OpenSC-win64_0.19.0.msi as well as OpenSC-win32_0.19.0.msi, selected “typical installation” and rebooted the server. At “Control Panel > Devices and Printers” a device named “Nitrokey HSM” is shown, so the USB device seems to be recognized.
However C:\Program Files\OpenSC Project\OpenSC\tools\opensc-tool.exe --list-readers just gives:
No smart card readers found.

C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-tool.exe -D
No smart card readers found.

C:\Program Files\OpenSC Project\OpenSC\tools\sc-hsm-tool.exe
No smart card readers found.

How can we access the HSM?

Does this behaviour occur at one device only? In this case it looks like a dead device and we would ask you to return it to us for further analysis. Of course you will get a replacement ASAP.

Have you run both x32 and x64 versions of the tools?

As far as I remember:

  1. OpenSC x64 bit installer offers to install x32 version of the drivers;
  2. OpenSC uses service to communicate with the device - if both versions are installed, that might mean two daemons are trying to access the device at once, blocking each other.

Please:

  1. Remove both installed versions;
  2. Install OpenSC x64, with x32 drivers added by the customization;
  3. Run the tools again.

Yes we installed both x32 and x64 versions, as mentioned on the OpenSC wiki page: https://github.com/OpenSC/OpenSC/wiki/Windows-Quick-Start “For an 64 bit operating system download both, the 32 bit AND the 64 bit installer”
If this is not correct then the wiki page should be updated.

Today I tried to access the Nitrokey HSM directly from the server (console) and this works! However since the server is located in a datacenter this is hardly a solution. How can we access the HSM hrough a RDP session?

I see. I must have been confused, sorry!

Summing up, you have access to the device, while logged in locally, but do not when the device is attempted to be accessed via the RDP, is that right?

Was the local user logged out, while the remote one was trying to use it? Perhaps other users are claiming the device?

I do not know unfortunately the answer. I propose to ask on the OpenSC issues page about details of their service implementation, though it seems this might be more connected more with the Windows administration itself, than the actual OpenSC service.

Alternatively, you might be interested in using a PKCS#11 proxy application, and then connecting to the device locally via it.

Hello,
when being directly connected to the console of the server we can access the Nitrokey HSM. When we then take over the session via Remote Desktop the same commands fail:

 > cd "C:\Program Files\OpenSC Project\OpenSC\tools"
 > sc-hsm-tool.exe
Using reader with a card: Nitrokey Nitrokey HSM 0
Version              : 3.1
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3

 ### Now we connect via RDP, take over the session and simply repeat the last command
 > sc-hsm-tool.exe
No smart card readers found.

Of course starting a new session from scratch via RDP yields the same result.

opensc-debug.txt contains the following for the failing attempt:
    P:6748; T:7788 opensc version: 0.19.0
    P:6748; T:7788 PC/SC options: connect_exclusive=0 disconnect_action=0 transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=1
    P:6748; T:7788 [sc-hsm-tool] reader-pcsc.c:1300:pcsc_detect_readers: called
    P:6748; T:7788 Probing PC/SC readers
    P:6748; T:7788 Establish PC/SC context
    P:6748; T:7788 SCardEstablishContext failed: 0x8010001d
    P:6748; T:7788 [sc-hsm-tool] reader-pcsc.c:1445:pcsc_detect_readers: returning with: -1101 (No readers found)
    P:6748; T:7788 [sc-hsm-tool] ctx.c:906:sc_release_context: called
    P:6748; T:7788 [sc-hsm-tool] reader-pcsc.c:900:pcsc_finish: called

I already tried to run the commands as the “Local Service” account, and nuked the ACL which restricts access to the kernel event object “Microsoft Smart Card Resource Manager Started” to interactive users as described in https://blogs.msdn.microsoft.com/alejacma/2011/05/19/scardestablishcontext-fails-with-scard_e_no_service-error/ but to no avail.
Currently I believe the RDP client is somehow trapping the calls to the Smart Card Resource Manager service before they even get there. Therefor I’m very much interested in your alternative solution:

“you might be interested in using a PKCS#11 proxy application, and then connecting to the device locally via it.”

How would I do that?

There is pkcs11-proxy, which AFAIK works quite well. @jans Do we have any guides ready for it?

About the RDP, have you seen this one: [1] ? It claims, that the local smart card hardware is redirected in the RDP session. Perhaps this could be changed with settings? I have no other ideas about it unfortunately.

In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using.

We don’t have instructions for using pkcs11-proxy available.

Too bad. A software that we have to compile ourselves and has no instructions is not exactly what we are looking for.

About the RDP, have you seen this one

Yes I can redirect smart cards connected to the local computer to the remote machine and use them there, but this is not what we are interested in. Hence the option is disabled in the Terminal Server Client.
The smart card is already connected to the machine where it should be used, the only reason why RDP comes into play is that this machine is located in a remote datacenter.

I see. I do not have any other ideas. I am sorry, but Windows Server administration subject is out-of-scope for this support forum. On this stage you might want to ask Microsoft support for further steps.

I have run a last chance search of the web - the smart card lock over RDP seems to be a quite frequent issue, and some site mentioned that this is by design (Windows 2008):

Some other results which seem to be worth checking:

Excerpt from one:

If you want to resume the session when you insert the smart card back,please try to  set this policy in windows server 2016:

'Interactive logon: Smart card removal behavior'

And set it to 'Disconnect if a remote Remote Desktop Services session'

If you select this, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.

### Location

*GPO_name* \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

You could follow this link for more details:

https://technet.microsoft.com/en-us/library/jj852235(v=ws.11).aspx

Yes modifying the RDP service could help, but moving to another remote control application is probably easier than disabling Windows file protection and manipulating DLLs with a hex editor.
Thanks for your help!

1 Like