When RDP as a Domain User, Smart Card Requested

15

4

My W8 machine is connected to domain zen. If I rdp to the W8 machine, I can log in as a local user without problems. If I try to log in as a domain user, I am prompted for a smart card instead of a password.

Any ideas why?

Windows 8 RDP Smart Card prompt

Note that Interactive login: require smart card is disabled in group policy:

enter image description here

And here is the output from rsop.msc:

enter image description here

Some additional information on this one. If my connecting machine is on the same domain/network as the W8 machine, then I am prompted for a password as usual. If the machine is remote, on a different domain, then I am prompted for a smart card. In addition, the machine I am connecting from that gets the smartcard prompt is an XP box - so it may be an issue confined to mstsc.exe version 6.0.x - with 6.1 the authentication is managed prior to the rdp gui session being established.

I haven't isolated exactly which of these factors triggers the different response.

Paul

Posted 2012-10-22T22:56:05.043

Reputation: 52 173

I'm having the same issue except that it is occurring even if I'm logging into a Windows 8.1 workstation via RDP directly from the domain server itself (Windows 2012 R2). The "require smart card" GPO setting is disabled and shows as such in RSOP, but the only way I can log in is by selecting "Other user". Very strange... – nextgentech – 2015-02-17T20:24:50.847

Where did you get that screen shot from? Are you sure the policy is being applied? Run rsop.msc on the target machine to get the "Resultant Set of Policy". Check to see if required logon is enabled or disabled when you do that. – Scott Chamberlain – 2012-10-22T23:58:33.970

@ScottChamberlain Updated with the output from rsop. "Required Logon" isn't an option I can see, and require smart card is undefined. I would expect this to default to "require" if undefined. What policies is this a result of - it must be the local and domain group policies right? I don't have a domain level group policy. – Paul – 2012-10-23T00:07:58.147

I meant to type "Require Smart Card" instead of "require login". But this is the effective policy on the computer adding together local computer polices, local user policies, domain computer polices, and domain user policies. When it is not defined it defaults to disabled. Also, was that RSOP screenshot from your computer or the server (when you are logged in as you)?

– Scott Chamberlain – 2012-10-23T00:26:33.230

Just for curiosity sake, see if you can logon as a local user, then do the RSOP in a run as ... as the domain user. Perhaps the setting is being applied on the domain user level, and if you ran rsop.msc on the local user level it would not pick up the setting. – Scott Chamberlain – 2012-10-23T00:34:56.810

I don't think I can - mmc requires elevation, so if I runas the domain user, it tells me I need to elevate, which would then just run as administrator (the domain user is in the administrators group) – Paul – 2012-10-23T00:47:38.953

I have the exact problem when doing remote desktop from a Linux machine. RD from a Windows machine works as normal. So probably the problem is caused by the client, but I'm also puzzled as to why it happens! – JorgeGT – 2013-01-10T15:00:27.593

Answers

7

I had exactly the same issue. No idea why it prompts for smartcard, but found 2 workarounds:

  1. use Linux RDP client (grdesktop) where you submit password before connection is made

  2. From XP, add /public to mstsc command line:

    mstsc /v a.b.c.d /public

Phil

Posted 2012-10-22T22:56:05.043

Reputation: 71

7

I managed to bypass the problem by clicking on "other user". I was then able to enter my username and could enter a password.

Yehuda

Posted 2012-10-22T22:56:05.043

Reputation: 215

4

You have to disable Interactive logon: require smart card in 

Control Panel / Administrative Tools / Edit Group Policy / 
   Computer Configuration / Windows Settings / Security Settings / 
      Local Policies / Security Options

Note that these are server-side settings and so apply to the machine being connected to.

0sh

Posted 2012-10-22T22:56:05.043

Reputation: 861

1

I realized that if I don't specify a username in the RDP connection and I use the IP address instead of the server's name, no smartcard is requested to login on the server.

ImAlmogaver

Posted 2012-10-22T22:56:05.043

Reputation: 11

0

I've had this issue, and can confirm that if you change your remote desktop client's login username to \, it logs in just fine to the currently logged in session and doesn't prompt for the smart card anymore. This was with Remote Desktop Connection for Mac.

vercellop

Posted 2012-10-22T22:56:05.043

Reputation: 121

0

I found that adding the -p - option to the command line solved the problem, e.g.

rdesktop machine.domain.com -u user -p -

When I use an invocation like that it'll then ask for a password in the terminal before starting the RDP session, then log in without asking for a smart card.

Andy Royal

Posted 2012-10-22T22:56:05.043

Reputation: 1

0

Another thing you might look for is a program called "Bitguard". I started getting the Smart Card prompt when trying to access shared devices on my network. This was driving me crazy because every time I tried to disable it using Control Panel, I got a Windows Explorer crash or it was grayed out so I couldn't make the choice to use ID and Password. After much research, I read somewhere that a recently added program can cause this. I went to see what was recently installed and saw the culprit "Bitguard". As soon as that was uninstalled, I was able to access the network devices using ID and password with no other changes to my system.

Sam

Posted 2012-10-22T22:56:05.043

Reputation: 1

Asked: 2012-10-22T22:56:05.043

Viewed: 51 333 times

Active: 2019-12-04T10:44:39.747