For your information, I have another issue with the smart card interface of the HSM2 device. Windows won’t recognize my HSM (plugged into the server) when I log in with Windows Remote Desktop.
So long story short, HSM2 is for end users, and not that great for server use. Maybe Nitrokey could put some writing on their product description that points out these problems.
You are right, I just mean to say that from the product decription, it shows that it can do a lot of things. But it is not the ideal solution for the problem I was trying to solve.
We have a setup where Nitrokeys are accessible to many systems (Linux mainly but also Windows VMs running on ESX) - we made them available via the device that shares USB ports over the network (UTN-800 from SEH), works pretty well if one gets the USB controller drivers right (no problem on Windows)
I am running a Windows Server 2019 instance in a virtual machine on Xen. I am using XFreeRDP client on my FreeBSD laptop. I have installed OpenSC 0.22.0 in a virtual machine.
I have added this parameter /smartcard:"Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00" to the command line that connects me to my virtual server.
And here it goes:
PS C:\Program Files\OpenSC Project\opensc\tools> .\pkcs11-tool -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00
token label : SmartCard-HSM (UserPIN)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 3.5
serial num : DENK0200654
pin min/max : 6/15
So, there is nothing “Nitrokey” that prevents this from working. Either RDP client has a smartcard redirection disabled or server policy is set not to allow this…
Thank you for the information, but that doesn’t apply to my situation if I understand it. Correct me if I’m wrong. I think your information is for a Linux user with a Nitrokey on the client machine.
My server has the HSM plugged into it. It’s running background tasks that need it on the server, whether someone’s logged in to it or not.
Upon logging in via Windows RDP, the client will override all server-side smart cards, and replace them with the client smart cards (even if there’s none - the server smart card will just go away). The smartcard-checkbox that’s available on the Windows RDP client makes no difference. pkcs11-tool just says “No Slots.”
What’s interesting, is that in the Windows Server device manager, the card reader still shows up. So it’s not gone but pkcs11-tool just will not see it.
Perhaps replacing RDP with VNC would be an option?
Finally I would write to Microsoft support asking what is the recommended solution.
In general this is Windows’ designed limitation, and affects all smart cards.
PS For the discoverability of the post, I suggest to move to a new thread with this question (and in general any logically separated one). Otherwise less users will see it due to ignoring the previous topic.
Edit: done
I tried this at my home lab and it could perfectly reproduced - a Nitrokey HSM2 and a CardOS-based smartcard connected to a Windows machine disappeared and another Nitrokey HSM2 from the Unix laptop kicked it. One can even see messages from OpenSC notify service popping up about smartcards being disconnected.