Problem with accessing over RDP a Nitrokey HSM2 connected to the Windows' server

For your information, I have another issue with the smart card interface of the HSM2 device. Windows won’t recognize my HSM (plugged into the server) when I log in with Windows Remote Desktop.

This is an issue with the design of Windows and there is no way around it: smartcard - How do I get my server HSM working while connected via RDP? (Win 2019) - Information Security Stack Exchange

So long story short, HSM2 is for end users, and not that great for server use. Maybe Nitrokey could put some writing on their product description that points out these problems.

I was surprised that my Nitrokey HSMs work fine across a Citrix connection, without any configuration except for getting it visible locally.

I don’t think it is a problem related to Nitrokey - probably all other devices have this problem.

You are right, I just mean to say that from the product decription, it shows that it can do a lot of things. But it is not the ideal solution for the problem I was trying to solve.

We have a setup where Nitrokeys are accessible to many systems (Linux mainly but also Windows VMs running on ESX) - we made them available via the device that shares USB ports over the network (UTN-800 from SEH), works pretty well if one gets the USB controller drivers right (no problem on Windows)

1 Like

Here is something to the remote access:

I am running a Windows Server 2019 instance in a virtual machine on Xen. I am using XFreeRDP client on my FreeBSD laptop. I have installed OpenSC 0.22.0 in a virtual machine.

I have added this parameter /smartcard:"Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00" to the command line that connects me to my virtual server.

And here it goes:

PS C:\Program Files\OpenSC Project\opensc\tools> .\pkcs11-tool -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK02006540000         ) 00 00
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.5
  serial num         : DENK0200654
  pin min/max        : 6/15

So, there is nothing “Nitrokey” that prevents this from working. Either RDP client has a smartcard redirection disabled or server policy is set not to allow this…

1 Like

Thank you for the information, but that doesn’t apply to my situation if I understand it. Correct me if I’m wrong. I think your information is for a Linux user with a Nitrokey on the client machine.

My server has the HSM plugged into it. It’s running background tasks that need it on the server, whether someone’s logged in to it or not.

Upon logging in via Windows RDP, the client will override all server-side smart cards, and replace them with the client smart cards (even if there’s none - the server smart card will just go away). The smartcard-checkbox that’s available on the Windows RDP client makes no difference. pkcs11-tool just says “No Slots.”

Screenshot 2021-10-25 095857

What’s interesting, is that in the Windows Server device manager, the card reader still shows up. So it’s not gone but pkcs11-tool just will not see it.

1 Like

Hi!

If I understood the problem, you would like to access the server-connected HSM smartcard device, while logged through the RDP.

  1. Past thread about that:
  2. As a workaround, would pkcs11-proxy be any help in that case? Example implementations:
  3. Another workaround idea is USB over IP, e.g. Home | VirtualHere
  4. Perhaps replacing RDP with VNC would be an option?
  5. Finally I would write to Microsoft support asking what is the recommended solution.

In general this is Windows’ designed limitation, and affects all smart cards.

PS For the discoverability of the post, I suggest to move to a new thread with this question (and in general any logically separated one). Otherwise less users will see it due to ignoring the previous topic.
Edit: done

1 Like

@szszszsz can you split this part of a thread starting probably with HSM2 takes 2.5 seconds to RSA decrypt with 2048 key (w/ pkcs11-tool.exe) - #8 by Jacob_Bruinsma ? I do not have the buttons necessary to do this :slight_smile:

1 Like

So it seems it so by design and cannot be turned off (old guide from Microsoft: The Smart Card Cryptographic Service Provider Cookbook | Microsoft Docs). Also found a blog entry in German which describes the very problem and suggests there is no solution. Seems like anything that uses WINSCARD.DLL (PC/SC services) will be redirected.

I tried this at my home lab and it could perfectly reproduced - a Nitrokey HSM2 and a CardOS-based smartcard connected to a Windows machine disappeared and another Nitrokey HSM2 from the Unix laptop kicked it. One can even see messages from OpenSC notify service popping up about smartcards being disconnected.

1 Like

That’s right, I thought that maybe I had missed something. Thanks again for the thorough support.

1 Like