Smart-card authentication for remote RDP hosts


Client was looking for enabling smart card authentication for web users of their VPN solution to provide secure access to RDP/Windows hosts behind the firewall.


Smart card authentication unlike passwords requires the browser to access hardware on the user’s system. Developing an interface which is seamless from the user’s point of view and passing credentials securely to the backend host/server by including third-party modules.


Over multiple iterations we arrived at a solution that masks the complexity of smart card access,

Used certificates based secure access to transmit secrets end-to-end,


Windows AD/CA, Certificate based authentication,

  • The user’s system is equipped with a smart card agent to read smart card credentials,
  • The browser interacts with the agent over a secure channel,
  • RDP connection requests directed to the firewall are authenticated and the smart card details are collected over a secure channel,
  • The smart card certificate is then passed to the RDP host whichin turn validate the certificate with Windows AD/CA or a similar certificate service.