Microsoft Remote Desktop Mac Smart Card Redirection



Dec 27, 2016 The problem occurs when we try to logon to Windows machines from Macs. There aren’t many Remote Desktop client options available for Mac that support Smart Card redirection. Even Microsoft Remote Desktop client on Mac currently does not support Smart Card redirection. Nov 27, 2017 Use Microsoft Remote Desktop for Mac to connect to a remote PC or virtual apps and desktops made available by your admin. With Microsoft Remote Desktop, you can be productive no matter where you are. GET STARTED Configure your PC for remote access using the information at https://aka.ms/rdsetup.

Smart Card Redirection, which allows users to authenticate to and in a remote session by using smart cards/e-tokens Plug-and-Play Device Redirection, which allows users to access PTP digital cameras, MTP music players, and POS for.NET devices in a remote session, among others. May 22, 2009 Remote Desktop and smart card redirection problem. I tried to turn off the smart cards redirection in the group policy, but that didn't help. Microsoft's RDP was a security risk not long. To share a folder on your Mac with the Windows computer to enable file transfer between the systems, click on the Folders tab, then click the checkbox to Redirect folders, and then use the plus button to add folders for redirection. If you want to share an entire drive with the remote session, such as your Mac's hard drive or an attached USB.

  1. Fixes an issue in which the smart card redirection does not work in remote sessions when you use the RDP 8.1 client on a computer that is running Windows 7 SP1 or Windows Server 2008 R2.
  2. You remotely connect the computer to a Windows 8.1-based or Windows Server 2012 R2-based Remote Desktop Host server, and then you enable the smart card redirection in the Remote Desktop Protocol (RDP) connection.
-->

Applies To: Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

You can use the Remote Desktop client for Mac to work with Windows apps, resources, and desktops from your Mac computer. Use the following information to get started - and check out the FAQ if you have questions.

Note

  • Curious about the new releases for the macOS client? Check out What's new for Remote Desktop on Mac?
  • The Mac client runs on computers running macOS 10.10 and newer.
  • The information in this article applies primarily to the full version of the Mac client - the version available in the Mac AppStore. Test-drive new features by downloading our preview app here: beta client release notes.

Get the Remote Desktop client

Follow these steps to get started with Remote Desktop on your Mac:

  1. Download the Microsoft Remote Desktop client from the Mac App Store.
  2. Set up your PC to accept remote connections. (If you skip this step, you can't connect to your PC.)
  3. Add a Remote Desktop connection or a remote resource. You use a connection to connect directly to a Windows PC and a remote resource to use a RemoteApp program, session-based desktop, or a virtual desktop published on-premises using RemoteApp and Desktop Connections. This feature is typically available in corporate environments.

What about the Mac beta client?

We're testing new features on our preview channel on AppCenter. Want to check it out? Go to Microsoft Remote Desktop for Mac and click Download. You don't need to create an account or sign into AppCenter to download the beta client.

If you already have the client, you can check for updates to ensure you have the latest version. In the beta client, click Microsoft Remote Desktop Beta at the top, and then click Check for updates.

Add a Remote Desktop connection

To create a remote desktop connection:

  1. In the Connection Center, click +, and then click Desktop.

  2. Enter the following information:

    • PC name - the name of the computer.
      • This can be a Windows computer name (found in the System settings), a domain name, or an IP address.
      • You can also add port information to the end of this name, like MyDesktop:3389.
    • User Account - Add the user account you use to access the remote PC.
      • For Active Directory (AD) joined computers or local accounts, use one of these formats: user_name, domainuser_name, or user_name@domain.com.
      • For Azure Active Directory (AAD) joined computers, use one of these formats: AzureADuser_name or AzureADuser_name@domain.com.
      • You can also choose whether to require a password.
      • When managing multiple user accounts with the same user name, set a friendly name to differentiate the accounts.
      • Manage your saved user accounts in the preferences of the app.

  3. You can also set these optional settings for the connection:

    • Set a friendly name
    • Add a Gateway
    • Set the sound output
    • Swap mouse buttons
    • Enable Admin Mode
    • Redirect local folders into a remote session
    • Forward local printers
    • Forward Smart Cards

  4. Click Save.

To start the connection, just double-click it. The same is true for remote resources.

Export and import connections

You can export a remote desktop connection definition and use it on a different device. Remote desktops are saved in separate .RDP files.

Microsoft office 2019 trial version for mac. Tip: Don't see an install option after signing in? Once the uninstall is complete, sign in again to and select Other install options, choose the language and version you want (64 or 32-bit), and then select Install. To complete the installation, follow the prompts in the 'Install Office' section below. (See or if you need to reinstall those stand-alone apps.).This completes the download of Office to your device.

  1. In the Connection Center, right-click the remote desktop.
  2. Click Export.
  3. Browse to the location where you want to save the remote desktop .RDP file.
  4. Click OK.
Remote

Use the following steps to import a remote desktop .RDP file.

  1. In the menu bar, click File > Import.
  2. Browse to the .RDP file.
  3. Click Open.

Add a remote resource

Remote resources are RemoteApp programs, session-based desktops, and virtual desktops published using RemoteApp and Desktop Connections.

  • The URL displays the link to the RD Web Access server that gives you access to RemoteApp and Desktop Connections.
  • The configured RemoteApp and Desktop Connections are listed.

To add a remote resource:

  1. In the Connection Center click +, and then click Add Remote Resources.
  2. Enter information for the remote resource:
    • Feed URL - The URL of the RD Web Access server. You can also enter your corporate email account in this field – this tells the client to search for the RD Web Access Server associated with your email address.
    • User name - The user name to use for the RD Web Access server you are connecting to.
    • Password - The password to use for the RD Web Access server you are connecting to.
  3. Click Save.

The remote resources will be displayed in the Connection Center.

Connect to an RD Gateway to access internal assets

A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from anywhere on the Internet. You can create and manage your gateways in the preferences of the app or while setting up a new desktop connection.

Feb 13, 2020 Microsoft Remote Desktop for Mac is an application that allows connecting to virtual apps or another PC remotely. Discover the power of Windows with Remote Desktop designed to help you manage your work from any location over a network connection. Apr 06, 2019 For Mac users, the stalwart tool has been the Microsoft Remote Desktop connection. Available now through the Mac App store, it allows users to remotely connect to a Windows desktop to access local files, applications, and network resources. Microsoft remote desktop mac version history free. If you already have the client, you can check for updates to ensure you have the latest version. In the beta client, click Microsoft Remote Desktop Beta at the top, and then click Check for updates. Add a Remote Desktop connection. To create a remote desktop connection: In the Connection Center, click +, and then click Desktop. Mar 24, 2020 Because the mechanism of mac application, pevious versions of Microsoft Remote Desktop cannot be archived in Mac App Store. And the Remote Desktop 10 has ended supporting El Capitan, it is still suggested to find a way to upgrade the macOS to 10.12 or higher.

To set up a new gateway in preferences:

  1. In the Connection Center, click Preferences > Gateways.
  2. Click the + button at the bottom of the table Enter the following information:
    • Server name – The name of the computer you want to use as a gateway. This can be a Windows computer name, an Internet domain name, or an IP address. You can also add port information to the server name (for example: RDGateway:443 or 10.0.0.1:443).
    • User name - The user name and password to be used for the Remote Desktop gateway you are connecting to. You can also select Use connection credentials to use the same user name and password as those used for the remote desktop connection.

Manage your user accounts

When you connect to a desktop or remote resources, you can save the user accounts to select from again. You can manage your user accounts by using the Remote Desktop client.

To create a new user account:

  1. In the Connection Center, click Settings > Accounts.
  2. Click Add User Account.
  3. Enter the following information:
    • User Name - The name of the user to save for use with a remote connection. You can enter the user name in any of the following formats: user_name, domainuser_name, or user_name@domain.com.
    • Password - The password for the user you specified. Every user account that you want to save to use for remote connections needs to have a password associated with it.
    • Friendly Name - If you are using the same user account with different passwords, set a friendly name to distinguish those user accounts.
  4. Tap Save, and then tap Settings.

Customize your display resolution

You can specify the display resolution for the remote desktop session.

  1. In the Connection Center, click Preferences.
  2. Click Resolution.
  3. Click +.
  4. Enter a resolution height and width, and then click OK.

To delete the resolution, select it, and then click -.

Displays have separate spacesIf you are running Mac OS X 10.9 and disabled Displays have separate spaces in Mavericks (System Preferences > Mission Control), you need to configure this setting in the remote desktop client using the same option.

Drive redirection for remote resources

Drive redirection is supported for remote resources, so that you can save files created with a remote application locally to your Mac. The redirected folder is always your home directory displayed as a network drive in the remote session.

Note

In order to use this feature, the administrator needs to set the appropriate settings on the server.

Use a keyboard in a remote session

Mac keyboard layouts differ from the Windows keyboard layouts.

  • The Command key on the Mac keyboard equals the Windows key.
  • To perform actions that use the Command button on the Mac, you will need to use the control button in Windows (e.g.: Copy = Ctrl + C).
  • The function keys can be activated in the session by pressing additionally the FN key (e.g.: FN + F1).
  • The Alt key to the right of the space bar on the Mac keyboard equals the Alt Gr/right Alt key in Windows.

By default, the remote session will use the same keyboard locale as the OS you're running the client on. (If your Mac is running an en-us OS, that will be used for the remote sessions as well.) If the OS keyboard locale is not used, check the keyboard setting on the remote PC and change it manually. See the Remote Desktop Client FAQ for more information about keyboards and locales.

Support for Remote Desktop gateway pluggable authentication and authorization

Remote Desktop Microsoft For Mac

Windows Server 2012 R2 introduced support for a new authentication method, Remote Desktop Gateway pluggable authentication and authorization, which provides more flexibility for custom authentication routines. You can now try this authentication model with the Mac client.

Important

Microsoft Remote Desktop Mac Os X

Custom authentication and authorization models before Windows 8.1 are not supported, although the article above discusses them.

Microsoft Remote Desktop Mac Os

To learn more about this feature, check out https://aka.ms/paa-sample.

Tip

Mac Microsoft Remote Desktop 10

Questions and comments are always welcome. However, please do NOT post a request for troubleshooting help by using the comment feature at the end of this article. Instead, go to the Remote Desktop client forum and start a new thread. Have a feature suggestion? Tell us in the client user voice forum.

Microsoft Remote Desktop Mac Smart Card

Redirect Smart Card Rdp

Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
Hope this helps!
bill
Mac OS X (10.4.10) 1 GHz Powerbook G4
-->Microsoft Remote Desktop Mac Smart Card Redirection

Applies To: Windows 10, Windows Server 2016

This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.

The content in this topic applies to the versions of Windows that are designated in the Applies To list at the beginning of this topic. In these versions, smart card redirection logic and WinSCard API are combined to support multiple redirected sessions into a single process.

Smart card support is required to enable many Remote Desktop Services scenarios. These include:

  • Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.

  • Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.

Remote Desktop Services redirection

In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.

Remote Desktop redirection

Notes about the redirection model:

  1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as 'Client session'), the user runs net use /smartcard.

  2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.

  3. The authentication is performed by the LSA in session 0.

  4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.

  5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.

  6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.

  7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.

RD Session Host server single sign-in experience

As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.

Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.

When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.

Remote Desktop Services and smart card sign-in

Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.

In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.

To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:

certutil -dspublish NTAuthCA 'DSCDPContainer'

The DSCDPContainer Common Name (CN) is usually the name of the certification authority.

Example:

Microsoft Remote Desktop Mac Smart Card Redirection App

certutil -dspublish NTAuthCA <CertFile> 'CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com'

Microsoft Remote Desktop Mac Smart Card Redirection Login

For information about this option for the command-line tool, see -dsPublish.

Remote Desktop Services and smart card sign-in across domains

To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:

Remote Desktop Smart Card

certutil -scroots update

For information about this option for the command-line tool, see -SCRoots.

For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:

certutil -addstore -enterprise NTAUTH <CertFile>

Where <CertFile> is the root certificate of the KDC certificate issuer.

For information about this option for the command-line tool, see -addstore.

Note If you use the credential SSP on computers running the supported versions of the operating system that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.

Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>

Remote Desktop Mac

The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see Smart Card Group Policy and Registry Settings.

See also