To use the derived credentials feature, you must create a group policy object (GPO) in Active Directory that pairs a virtual smart card with the smart card middleware installed on the remote desktop. You then apply the GPO to the organizational unit (OU) that contains the remote desktop.

Prerequisites

  • Verify that the system requirements for using derived credentials are met. See Smart Card Authentication Requirements.
  • Create a Virtual Smart Card.
  • Verify that you can log in as an Administrator domain user on the machine that hosts your Active Directory server.
  • Verify that the MMC and Group Policy Management Editor snap-in are available on your Active Directory server.

Procedure

  1. On the Active Directory server, open the Group Policy Management Console (gpmc.msc).
  2. Right-click Group Policy Objects and select New.
  3. In the Name text box, type a name for the group policy object, for example, Derived Credentials, and click OK.
  4. Right-click the group policy object that you created and select Edit.
  5. Expand Computer Configuration > Preferences > Windows Settings .
  6. Right-click Registry and select New > Collection Item.
  7. Change the collection item name from Collection to a meaningful name, for example, the middleware name Charismathics.
  8. To create registry items that pair a virtual smart card with the smart card middleware installed in the remote desktop, right-click the collection item that you created and select New > Registry Item.
    To pair a virtual smart card with Charismathics middleware, use the following values.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\VMware Remote Smart Card]
    • "ATR"=hex:3b,1c,96,56,4d,57,61,72,65,43,61,72,64,23,31
    • "Crypto Provider"="Charismathics Smart Security Interface CSP"
    To pair a virtual smart card with ActivClient middleware, use the following values.
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\VMware Remote Smart Card]
    • "80000001"="C:\\Program Files\\HID Global\\ActivClient\\ac.scapi.scmd.dll"
    • "ATR"=hex:3b,1c,96,56,4d,57,61,72,65,43,61,72,64,23,31
    • "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
    • "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
    • "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
  9. Open the Group Policy Management Editor and link the new GPO to the OU that contains the remote desktop.
    For a virtual desktop, link the GPO to the OU that contains the virtual desktop. For a published desktop, link the GPO to the OU that contains the RDS host.
  10. To verify the registry settings in the remote desktop, restart the remote desktop or open the remote desktop and run cmd gpudate /force.

What to do next

Log in to the server and connect to the remote desktop. The process is the same as when you use a physical smart card.

Note: If you enter the wrong PIN more than five times when using a virtual smart card to authenticate, the virtual smart card is removed and you must create a new virtual smart card.