deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

metadata updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-11-07 08:07:39 -05:00
parent ef321b6860
commit 5beab6114f
13 changed files with 9 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/docfx.json
View File

@ -218,6 +218,8 @@
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
"identity-protection/smart-cards/*.md": "ardenw",
"identity-protection/virtual-smart-cards/*.md": "ardenw",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
@ -231,7 +233,7 @@
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
"operating-system-security/network-security/windows-firewall/*.md": [ "tier2", "must-keep" ]
}
},
"template": [],

13
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
View File

@ -3,7 +3,6 @@ ms.date: 11/06/2023
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: conceptual
ms.reviewer: ardenw
---
# Smart Card and Remote Desktop Services
@ -13,8 +12,8 @@ Smart card redirection logic and *WinSCard API* are combined to support multiple
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session
- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files
- Using Fast User Switching or Remote Desktop Services. A user isn't able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt isn't successful in Fast User Switching or from a Remote Desktop Services session
- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS isn't able to locate the smart card reader or certificate, EFS can't decrypt user files
## Remote Desktop Services redirection
@ -37,9 +36,9 @@ Notes about the redirection model:
As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it can't be unencrypted during transit.
When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user isn't prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user doesn't receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
### Remote Desktop Services and smart card sign-in
@ -47,7 +46,7 @@ Remote Desktop Services enables users to sign in with a smart card by entering a
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
```cmd
certutil.exe -dspublish NTAuthCA "DSCDPContainer"
@ -88,4 +87,4 @@ For information about this option for the command-line tool, see [-addstore](/pr
Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: `<ClientName>@<DomainDNSName>`.
The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol can't determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).

1
windows/security/identity-protection/smart-cards/smart-card-architecture.md
View File

@ -1,7 +1,6 @@
---
title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.reviewer: ardenw
ms.topic: reference-architecture
ms.date: 11/06/2023
---

1
windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
View File

@ -1,7 +1,6 @@
---
title: Certificate Propagation Service
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 08/24/2021
---

1
windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
View File

@ -1,7 +1,6 @@
---
title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 11/06/2023
---

4
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -1,10 +1,6 @@
---
title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.reviewer: ardenw
ms.collection:
- highpri
- tier2
ms.topic: troubleshooting
ms.date: 11/06/2023
---

1
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -1,7 +1,6 @@
---
title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.reviewer: ardenw
ms.topic: reference
ms.date: 11/06/2023
---

1
windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
View File

@ -1,7 +1,6 @@
---
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.reviewer: ardenw
ms.topic: overview
ms.date: 1/06/2023
---

1
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
View File

@ -1,7 +1,6 @@
---
title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 09/24/2021
---

1
windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
View File

@ -1,7 +1,6 @@
---
title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 11/06/2023
---

1
windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
View File

@ -1,7 +1,6 @@
---
title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.reviewer: ardenw
ms.topic: conceptual
ms.date: 11/06/2023
---

1
windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
View File

@ -1,7 +1,6 @@
---
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.reviewer: ardenw
ms.topic: overview
ms.date: 11/06/2023
---

1
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
View File

@ -1,7 +1,6 @@
---
title: Understanding and Evaluating Virtual Smart Cards
description: Learn how smart card technology can fit into your authentication design.
ms.prod: windows-client
ms.topic: conceptual
ms.date: 11/06/2023
---