(setting the stage)
Workstation:  Windows 7 Enterprise SP1, member of Domain A, up to date on security patches
Server:  Windows Server 2008 R2 Standard, Domain Controller of Domain B, up to date on security patches
Middleware:  ActivIdentity ActivClient (v7.0.2.408) - installed on workstation and server

Hi Everyone,

I've got an interesting question/problem, I'm hoping someone else out there has run up against.  We've been tasked with trying to enable PIV authentication via RDP so our domain admins can use their PIV card to log into remote boxes, and not a username/password.  There is currently no trust relationship between domain A and domain B in my set up.  The server is not running Remote Desktop Gateway.  It is configured to use TLS 1.0 security layer and FIPS compliant encryption level.  It is also configured to require NLA and is using a domain controller certificate issued by a 3rd party CA.

I have taken my PIV authentication certificate and have mapped it to my account in domain B (so the altSecurityIdentities attribute is now populated).  After a lot of Googling, I found that I had to set the registry key "UseSubjectAltName" (located under HKLM\SYSTEM\CurrentControlSet\services\kdc) to 0.  I also needed to set two Group Policy settings "Allow certificates with no extended key usage certificate attribute" and "Allow user name hint".  After I set these settings, and imported the necessary certificates to the NTAuth Store and Trusted Root Certification Authorities, I still couldn't RDP from my workstation to the server using my PIV card with the name hint of userid@domain.name.gov.  I would get an error message saying "The specified user name does not exist.  Verify the user name and try logging in again.  If the problem continues, contact your system administrator or technical support.".  After a lot of troubleshooting, I discovered that if I turn off NLA on the server, I can type in my PIN and userid@domain.name.gov into the RDP window on my workstation, it would then launch an RDP session where it would make me type in my PIN and name hint once again.  After I type everything in a second time, the server will load my desktop and I can proceed as normal.

My question is, is there a way to accomplish the end result of using a smart card to RDP to a server in a different domain (no trust relationship), and have NLA enabled.  Disabling NLA "works", but I don't think my I.T. Security folks are going to go for that as an option.

Thanks in advance for any suggestions!

-Matt

Hi Matt,

Would you please test that whether password authentication (without smart card) works with NLA enabled accorss domain?

Best Regards,

Amy