Connecting to Server 2012 R2 using HP ThinPro (freeRDP), but smart card is not reading correctly

Question

In preparation to deploy our new 2012R2 RD farm, we have updated our HP thin clients to ThinPro 5.0. They connect just fine using username/password, but when I try to use a smart card, I get the message:

Please use external device to unlock the smart card.

This message is quickly replaced with:

The PIN could not be verified. The credentials could not be verified.

I thought it was a certificate issue, but the correct certs are in the server. I can use the smart card to log into the 2012R2 farm from any other laptop or desktop, just not these thin clients.

ThinPro 5.0 uses freeRDP to make RDP connections. I have tried adding some arguments to the connection parameters, but nothing works. Has anyone else encountered a problem with smart cards in freeRDP like this?

Answer 1

There's a couple great articles that can help you out here. This issue generally pertains to issues with trusting root CA certs that your thin clients and the RDS servers use.

• https://support.microsoft.com/kb/281245
• https://ocio.nih.gov/Smartcard/Pages/PIV_faq.aspx

Check the trusted root certificate store on the thin client and see if it has your root CA cert that issued the domain controller certs.

Possible page that walks you through updating the store for these thin clients:

• http://maso.dk/2011/05/18/install-ssl-certificate-onto-hp-thin-client-with-thinpro/

Answer 2

I found that the issue was that the "Smart Card" service on the server was not being started by the service triggers when connecting from a FreeRDP client. If I manually started the Smart Card service on the server, I could log in using freerdp/smartcard.

The problem is that the Smartcard service turns itself off after about 1 minute. you can see the start triggers using "sc qtriggerinfo scardsvr" but the stops seem to be hard coded in the service. If there is a way to disable stop that would work to. Apparently the trigger start, auto stop is a feature that was added.

I had reached out to freerdp github with general "use with smartcard" and got a quick response that it was hard for them to test as they don't have an environment or smartcards/readers. I did not get a chance to reach out about the trigger starts yet so unfortunately I do not yet have a solution