Smart-card authentication for remote RDP hosts

OBJECTIVES/GOAL

Client was looking for enabling smart card authentication for web users of their VPN solution to provide secure access to RDP/Windows hosts behind the firewall.

CHALLENGES

Smart card authentication unlike passwords requires the browser to access hardware on the user’s system. Developing an interface which is seamless from the user’s point of view and passing credentials securely to the backend host/server by including third-party modules.

ACCOMPLISHMENTS

Over multiple iterations we arrived at a solution that masks the complexity of smart card access,

Used certificates based secure access to transmit secrets end-to-end,

TECHNOLOGIES

Windows AD/CA, Certificate based authentication,

SOLUTION ARCHITECTURE
  • The user’s system is equipped with a smart card agent to read smart card credentials,
  • The browser interacts with the agent over a secure channel,
  • RDP connection requests directed to the firewall are authenticated and the smart card details are collected over a secure channel,
  • The smart card certificate is then passed to the RDP host whichin turn validate the certificate with Windows AD/CA or a similar certificate service.