Safenet 5110 eToken FIPS

Submitted by ciro.santos on #1

Hello,
I'm having problems using SafeNet 5110 eToken FIPS with VirtualHere, i can see the token and use it in virtualhere, but the SafeNet Autentication Client does not detect it as connected, even tough i see it in the device manager.
Installing the same safenet client and using the same token in a local machine works.

I tried putting "ClaimPorts=1" in the server config, but no luck.

I tried with a Windows Server 2019 (Hyper-V Core 2019) and Linux with Kernel 5.15, using VirtualHere USB Server v4.5.8

The VirtualHere was 5.5.3 Win64.

Please let me know if this is a known issue or if i should provide any logs

Submitted by Michael on Wed, 2023/06/21 - 09:27

#2

I have the same token i use everyday via virtualhere to sign code. Are you using RDP (i.e remote desktop?) to access the client? I think that will block smartcard pass through actually.  You might need to use vnc or something like that instead. (By the way i am using the safenet drivers v10.8) I use kvm to run development VM's so that doesnt have any issues on the client side

Submitted by ciro.santos on Tue, 2023/06/27 - 03:43

#3

I was using RDP to access the client, and that was the problem.

The Windows Smart Card Service, checks if the user is in a remote session, if it is, it disallows access to any "local" (from windows viewpoint) smartcard. That is by design and there is no way to disable it through options or group policy/registry entries.

I only saw a guy that found a way to patch the WinSCard.dll to disable this check. I'm not willing to go that far.

Source: l1f@yk's notes: Windows Smart Card Subsystem and Remote Sessions (lifayk.blogspot.com)

 

SOLUTION:
I started using VNC protocol to connect to the virtual machines (where virtual here client resides), on the linux machines.
and on the windows machines, i just put the virtualhere client in the hands of users to use/unuse the token and pass it through the rdp connection. In this scenario, the virtualhere client is in the rdp client machine, that way, the windows smart card service check pass, as from the windows viewpoint, the token is not local (on the server).

I would have been running in circles for days without your words Michael, thank you very much!

Submitted by Michael on Tue, 2023/06/27 - 07:42

#4

Ok great im glad its sorted. Yes i dont know why microsoft blocks smartcards via RDP, its pretty annoying...