cancel
Showing results for 
Search instead for 
Did you mean: 
McFess
New member
3 2 0 1
Message 1 of 6
2,438
Flag Post

Thinpro 6.1 usb smartcard redirection via xfreerdp

HP Recommended
T620
Linux

Hi,

 

we have T620 thinclints running ThinPro 61.

Customers need to use Datev midentity usb smartcard readers on a windows terminal server (Windows Server 2012 R2) via rdp.

The device shows up in the usb-manager, which is configured to redirect all device to rdp connections.

Smart Cards are redirected via the class setting.

 

The device is sold by Kobil Systems GmbH (https://www.kobil.com/)

 

Link to the device in GERMAN 

https://www.datev.de/web/de/datev-shop/it-loesungen-und-security/datev-midentity-compact/

 

# lsusb |grep Kobil
Bus 005 Device 003: ID 0d46:3014 Kobil Systems GmbH

 

# pcsc_scan -n
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: KOBIL Systems Smart Token (NE134209584) 00 00

Wed May 17 11:04:06 2017
Reader 0: KOBIL Systems Smart Token (NE134209584) 00 00
Card state: Card inserted,
ATR: 3B BF 96 00 81 31 FE 5D 00 64 84 11 24 00 31 C0 73 F7 01 D0 00 90 00 DB

 

Starting a rdp connection via the Connection manager doesn't redirect the device, though.

Manually runnging xfreerdp with the /smartcard: option works.

How do I turn that option on via the connection manager?

 

Thanks in advance,

 

Michael

5 REPLIES 5
McFess
Author
New member
3 2 0 1
Message 2 of 6
Flag Post
HP Recommended

@McFess wrote:

 

we have T620 thinclints running ThinPro 61.

Customers need to use Datev midentity usb smartcard readers on a windows terminal server (Windows Server 2012 R2) via rdp.

The device shows up in the usb-manager, which is configured to redirect all device to rdp connections.

Smart Cards are redirected via the class setting.

 

Starting a rdp connection via the Connection manager doesn't redirect the device, though.

Manually runnging xfreerdp with the /smartcard: option works.

 

 


As a crude hack, I changed /usr/lib/freerdp/cmdline_functions:

 

--- cmdline_functions 2017-05-17 14:00:58.643176797 +0200
+++ cmdline_functions.new 2017-05-17 14:00:38.059177470 +0200
@@ -635,6 +635,8 @@
Options+=("-grab-keyboard")
### Always: Turn off freerdp's own keyboard shortcuts.
Options+=("-keyboard-shortcuts" "-toggle-fullscreen")
+ ### Always: Add /smartcard:
+ Options+=("/smartcard:")

### Get hardware ID
HWID=$(hptc-hwsw-id --hw)

 

Does what's needed - but as I said, crude hack.

I seems the whole system doesn't differenciate between smartcard usage and smartcard login...

pcarno
New member
3 2 0 0
Message 3 of 6
Flag Post
HP Recommended

huge thank you dude! it does work after those changes

0 Kudos
pcarno
New member
3 2 0 0
Message 4 of 6
Flag Post
HP Recommended

the only thing that not working is NLA, it's asking for 2 time the credentials & in the code there is also this line.

###NLA & Smartcard do not currently work togheter.

### We have some code in the works to correct that, but for now....

 

 

Anybody got this fixed?

0 Kudos
McFess
Author
New member
3 2 0 1
Message 5 of 6
Flag Post
HP Recommended

@McFess wrote:

@McFess wrote:

 

we have T620 thinclints running ThinPro 61.

Customers need to use Datev midentity usb smartcard readers on a windows terminal server (Windows Server 2012 R2) via rdp.

The device shows up in the usb-manager, which is configured to redirect all device to rdp connections.

Smart Cards are redirected via the class setting.

 

Starting a rdp connection via the Connection manager doesn't redirect the device, though.

Manually runnging xfreerdp with the /smartcard: option works.

 

 


As a crude hack, I changed /usr/lib/freerdp/cmdline_functions:

 

Options+=("-keyboard-shortcuts" "-toggle-fullscreen")
+ ### Always: Add /smartcard:
+ Options+=("/smartcard:")



 

We're running ThinPro 6.22 now.

Things change a little bit. Unfortunately smardcard redirection still doesn't work out of the box.

With the new xfreerdp version (1.1.0-beta1) the line now must read:

Options+=("/sec:tls" "/a:smartcard,0)"

 

or whatever number pcsc_scan gives for your device

 

0 Kudos
JonasSellstedt
New member
2 2 0 0
Message 6 of 6
Flag Post
HP Recommended

Thanks this helps! How ever... When trying this settnings connecting to a Windows 2016 Server RDP the option /sec:tls makes rdp connection to server impossible. Changed it to NLA and I got it to work but, we need to repeat credentials at the login page on the server. The client has AD connection with SSO on the connection to the server activated. Does anyone know how to make this work without the extra logon?

0 Kudos
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation