1

The error I get from pkcs11-tool.exe is "No slots."

My server has a hardware security module (Nitrokey HSM 2) that becomes inaccessible once I connect to my server via Windows Remote Desktop.

Note: this is NOT for logging in with smart cards. I use my HSM to decrypt data with its private key.

I use this HSM with the pkcs11-tool.exe recommended by Nitrokey.

It does not matter whether or not I uncheck the box "Smart Cards or Windows Hello for Business". A workaround is to use a different program (AnyDesk) to connect to the server, but that is not a solution because I don't want to rely on a 3rd party remote access app.

What I'm using is the Nitrokey HSM 2 (https://shop.nitrokey.com/shop/product/nk-hsm-2-nitrokey-hsm-2-7).

FYI. If you want to use this HSM on a server; it's very slow. Up to 2.5 seconds for just a single 2048-bit RSA private key decryption. That's not cool if a user needs to repeatedly perform this kind of task. It's also really cheap, at less than $150 delivered, so you get the best possible protection for a low price.

Jacob Bruinsma
  • 413
  • 1
  • 4
  • 8
  • 1
    Seems like Windows treats the HSM like a smartcard. Unfortunately it is a known restriction that smartcards connected to the RDP server are not available in an RDP session. – Robert Oct 21 '21 at 19:09
  • @Robert It does seem to act that way. No way around that? I couldn't find it, but I find it hard to Google this particular problem. HSM devices aren't very common compared to smart cards and SSL - and that's all that comes up when I search. – Jacob Bruinsma Oct 22 '21 at 22:49
  • 1
    There are a lot of similar questions on stackoverflow.com mostly without real answer. This one has an answer and a link to a very interesting blog article that contains the info that access to local smartcards is blocked in an RDP session by design: https://stackoverflow.com/questions/39978119/using-server-usb-smartcard-reader – Robert Oct 23 '21 at 11:25
  • @Robert It doesn't help that this topic spans the subject matters of security, programming, and servers. There's no obvious focus for where to discuss these things. About your link: that is indeed the same problem. The solution is unacceptable for me, so I'll either have to inform administrators that they're breaking the application while logged in, or buy a more expensive HSM that doesn't act like a smart card. – Jacob Bruinsma Oct 23 '21 at 13:40

1 Answers1

1

For now, I use an alternative solution to logging into the server. TeamViewer, AnyDesk, VNC, an IP KVM, or using your server's BMC will circumvent the problem.

Robert commented to my question and it seems he was right. There's no real solution unless you want to consider hacking your Windows DLLs:

http://lifayk.blogspot.com/2012/07/windows-smart-card-subsystem-and-remote.html

My only options are to implement a different type of HSM that doesn't act like a smart card, or to mitigate the problem by alerting the administrator that they may be breaking the application while logged in via RDP.

Note: I contacted Nitrokey about this and they eventually agreed - it is a hard limitation of Windows. There is no legitimate workaround, if you want the server to use a smart card-based device it will always be overridden by the RDP client as soon as you log in.

Jacob Bruinsma
  • 413
  • 1
  • 4
  • 8