To use the derived credentials feature, you must create a group policy object (GPO) in Active Directory that pairs a virtual smart card with the smart card middleware installed on the remote desktop. You then apply the GPO to the organizational unit (OU) that contains the remote desktop.
- Verify that the system requirements for using derived credentials are met. See Smart Card Authentication Requirements.
- Create a Virtual Smart Card.
- Verify that you can log in as an Administrator domain user on the machine that hosts your Active Directory server.
- Verify that the MMC and Group Policy Management Editor snap-in are available on your Active Directory server.
- On the Active Directory server, open the Group Policy Management Console (gpmc.msc).
- Right-click Group Policy Objects and select New.
- In the Name text box, type a name for the group policy object, for example, Derived Credentials, and click OK.
- Right-click the group policy object that you created and select Edit.
- Expand .
- Right-click Registry and select .
- Change the collection item name from Collection to a meaningful name, for example, the middleware name Charismathics.
- To create registry items that pair a virtual smart card with the smart card middleware installed in the remote desktop, right-click the collection item that you created and select
.To pair a virtual smart card with Charismathics middleware, use the following values.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\VMware Remote Smart Card]
- "Crypto Provider"="Charismathics Smart Security Interface CSP"
- Open the Group Policy Management Editor and link the new GPO to the OU that contains the remote desktop.
For a virtual desktop, link the GPO to the OU that contains the virtual desktop. For a published desktop, link the GPO to the OU that contains the RDS host.
- To verify the registry settings in the remote desktop, restart the remote desktop or open the remote desktop and run cmd gpudate /force.
What to do next
Log in to the server and connect to the remote desktop. The process is the same as when you use a physical smart card.