• Home

Microsoft Remote Desktop 10 Mac Smart Card

 
-->

Applies To: Windows 10, Windows Server 2016

Nov 27, 2016  In this video, I'll show you how to use Microsoft Remote Desktop on a Mac. Simply download the application from Apple's App store, install, and configure a connection. Jan 15, 2013  How To: Configure Microsoft Remote Desktop Client and Smart Card Authentication. Posted on January 15. Ability to “cut” my own certificates to be imported into the smart card. Read the complete article @ Getting Started with the Microsoft Remote Desktop Client and Smart Card Authentication.

This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.

The content in this topic applies to the versions of Windows that are designated in the Applies To list at the beginning of this topic. In these versions, smart card redirection logic and WinSCard API are combined to support multiple redirected sessions into a single process.

Smart card support is required to enable many Remote Desktop Services scenarios. These include:

Microsoft Remote Desktop 10 For Mac

  • Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.

  • Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.

Remote Desktop Services redirection

In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.

Remote Desktop redirection

Notes about the redirection model:

  1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as 'Client session'), the user runs net use /smartcard.

  2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.

  3. The authentication is performed by the LSA in session 0.

  4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.

  5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.

  6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.

  7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.

RD Session Host server single sign-in experience

As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.

Microsoft Remote Desktop 10 Mac Smart Card

Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.

When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.

Remote Desktop Services and smart card sign-in

Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.

In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.

To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:

certutil -dspublish NTAuthCA 'DSCDPContainer'

The DSCDPContainer Common Name (CN) is usually the name of the certification authority.

Example:

certutil -dspublish NTAuthCA <CertFile> 'CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com'

For information about this option for the command-line tool, see -dsPublish.

Remote Desktop Services and smart card sign-in across domains

To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:

certutil -scroots update

For information about this option for the command-line tool, see -SCRoots.

For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:

certutil -addstore -enterprise NTAUTH <CertFile>

Where <CertFile> is the root certificate of the KDC certificate issuer.

For information about this option for the command-line tool, see -addstore.

Note If you use the credential SSP on computers running the supported versions of the operating system that are designated in the Applies To list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.

Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <ClientName>@<DomainDNSName>

The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see Smart Card Group Policy and Registry Settings.

See also

-->

We regularly update the Remote Desktop client for macOS, adding new features and fixing issues. Here's where you'll find the latest updates.

If you encounter any issues, you can always contact us by navigating to Help > Report an Issue.

Updates for version 10.3.9

Date published: 4/6/20

In this release we've made some changes to improve interoperability with the Windows Virtual Desktop service. In addition, we've included the following updates:

  • Control+Option+Delete now triggers the Ctrl+Alt+Del sequence (previously required pressing the Fn key).
  • Fixed the keyboard mode notification color scheme for Light mode.
  • Addressed scenarios where connections initiated using the GatewayAccessToken RDP file property didn't work.

Note

This is the last release that will be compatible with macOS 10.12.

Updates for version 10.3.8

Date published: 2/12/20

It's time for our first release of 2020!

With this update, you can switch between Scancode (Ctrl+Command+K) and Unicode (Ctrl+Command+U) modes when entering keyboard input. Unicode mode allows extended characters to be typed using the Option key on a Mac keyboard. For example, on a US Mac keyboard, Option+2 will enter the trademark (™) symbol. You can also enter accented characters in Unicode mode. For example, on a US Mac keyboard, entering Option+E and the 'A' key at the same time will enter the character 'á' on your remote session.

Other updates in this release include:

  • Cleaned up the workspace refresh experience and UI.
  • Addressed a smart card redirection issue that caused the remote session to stop responding at the sign-in screen when the 'Checking Status' message appeared.
  • Reduced time to create temporary files used for clipboard-based file copy and paste.
  • Temporary files used for clipboard file copy and paste are now deleted automatically when you exit the app, instead of relying on macOS to delete them.
  • PC bookmark actions are now rendered at the top-right corner of thumbnails.
  • Made fixes to address issues reported through crash telemetry.

Updates for version 10.3.7

Date published: 1/6/20

In our final update of the year, we fine-tuned some code and fixed the following behaviors:

  • Copying things from the remote session to a network share or USB drive no longer creates empty files.
  • Specifying an empty password in a user account no longer causes a double certificate prompt.

Updates for version 10.3.6

Date published: 1/6/20

Download Microsoft Remote Desktop Mac

In this release, we addressed an issue that created zero-length files whenever you copied a folder from the remote session to the local machine using file copy and paste.

Updates for version 10.3.5

Date published: 1/6/20

We made this update with the help of everyone who reported issues. In this version, we've made the following changes:

  • Redirected folders can now be marked as read-only to prevent their contents from being changed in the remote session.
  • We addressed a 0x607 error that appeared when connecting using RPC over HTTPS RD Gateway scenarios.
  • Fixed cases where users were double-prompted for credentials.
  • Fixed cases where users received the certificate warning prompt twice.
  • Added heuristics to improve trackpad-based scrolling.
  • The client no longer shows the 'Saved Desktops' group if there are no user-created groups.
  • Updated UI for the tiles in PC view.
  • Fixes to address crashes sent to us via application telemetry.

Note

In this release, we now accept feedback for the Mac client only through UserVoice.

For example, go to Word and choose About Word. In the dialog box that opens, you can see the version number as well as the license type. In the example below, the version number is 16.18 and the license is a one-time purchase of Office 2019 for Mac. Current microsoft word mac version free.

Updates for version 10.3.4

Date published: 11/18/19

We've been hard at work listening to your feedback and have put together a collection of bug fixes and feature updates.

  • When connecting via an RD Gateway with multifactor authentication, the gateway connection will be held open to avoid multiple MFA prompts.
  • All the client UI is now fully keyboard-accessible with Voiceover support.
  • Files copied to the clipboard in the remote session are now only transferred when pasting to the local computer.
  • URLs copied to the clipboard in the remote session now paste correctly to the local computer.
  • Scale factor remoting to support Retina displays is now available for multimonitor scenarios.
  • Addressed a compatibility issue with FreeRDP-based RD servers that was causing connectivity issues in redirection scenarios.
  • Addressed smart card redirection compatibility with future releases of Windows 10.
  • Addressed an issue specific to macOS 10.15 where the incorrect available space was reported for redirected folders.
  • Published PC connections are represented with a new icon in the Workspaces tab.
  • 'Feeds' are now called 'Workspaces,' and 'Desktops' are now called 'PCs.'
  • Fixed inconsistencies and bugs in user account handling in the preferences UI.
  • Lots of bug fixes to make things run smoother and more reliably.

Updates for version 10.3.3

Date published: 11/18/19

We've put together a feature update and fixed bugs for the 10.3.3 release.

First, we've added user defaults to disable smart card, clipboard, microphone, camera, and folder redirection:

  • ClientSettings.DisableSmartcardRedirection
  • ClientSettings.DisableClipboardRedirection
  • ClientSettings.DisableMicrophoneRedirection
  • ClientSettings.DisableCameraRedirection
  • ClientSettings.DisableFolderRedirection

Next, the bug fixes:

  • Resolved an issue that was causing programmatic session window resizes to not be detected.
  • Fixed an issue where the session window contents appeared small when connecting in windowed mode (with dynamic display enabled).
  • Addressed initial flicker that occurred when connecting to a session in windowed mode with dynamic display enabled.
  • Fixed graphics mispaints that occurred when connected to Windows 7 after toggling fit-to-window with dynamic display enabled.
  • Fixed a bug that caused an incorrect device name to be sent to the remote session (breaking licensing in some third-party apps).
  • Resolved an issue where remote app windows would occupy an entire monitor when maximized.
  • Addressed an issue where the access permissions UI appeared underneath local windows.
  • Cleaned up some shutdown code to ensure the client closes more reliably.

Updates for version 10.3.2

Date published: 11/18/19

In this release, we fixed a bug that made the display low resolution while connecting to a session

Updates for version 10.3.1

Date published: 11/18/19

We've put together some fixes to address regressions that managed to sneak into the 10.3.0 release.

  • Addressed connectivity issues with RD Gateway servers that were using 4096-bit asymmetric keys.
  • Fixed a bug that caused the client to randomly stop responding when downloading feed resources.
  • Fixed a bug that caused the client to crash while opening.
  • Fixed a bug that caused the client to crash while importing connections from Remote Desktop, version 8.

Updates for version 10.3.0

Date published: 8/27/19

It's been a few weeks since we last updated, but we've been hard at work during that time. Version 10.3.0 brings some new features and lots of under-the-hood fixes.

  • Camera redirection is now possible when connecting to Windows 10 1809, Windows Server 2019 and later.
  • On Mojave and Catalina we've added a new dialog that requests your permission to use the microphone and camera for device redirection.
  • The feed subscription flow has been rewritten to be simpler and faster.
  • Clipboard redirection now includes the Rich Text Format (RTF).
  • When entering your password you have the option to reveal it with a 'Show password' checkbox.
  • Addressed scenarios where the session window was jumping between monitors.
  • The Connection Center displays high resolution remote app icons (when available).
  • Cmd+A maps to Ctrl+A when Mac clipboard shortcuts are being used.
  • Cmd+R now refreshes all of your subscribed feeds.
  • Added new secondary click options to expand or collapse all groups or feeds in the Connection Center.
  • Added a new secondary click option to change the icon size in the Feeds tab of the Connection Center.
  • A new, simplified, and clean app icon.

Updates for version 10.2.13

Date published: 5/8/2019

  • Fixed a hang that occurred when connecting via an RD Gateway.
  • Added a privacy notice to the 'Add Feed' dialog.

Updates for version 10.2.12

Microsoft Remote Desktop 10 Mac Smart Card Driver

Date published: 4/16/2019

  • Resolved random disconnects (with error code 0x904) that took place when connecting via an RD Gateway.
  • Fixed a bug that caused the resolutions list in application preferences to be empty after installation.
  • Fixed a bug that caused the client to crash if certain resolutions were added to the resolutions list.
  • Addressed an ADAL authentication prompt loop when connecting to Windows Virtual Desktop deployments.

Updates for version 10.2.10

Date published: 3/30/2019

  • In this release we addressed instability caused by the recent macOS 10.14.4 update. We also fixed mispaints that appeared when decoding AVC codec data encoded by a server using NVIDIA hardware.

Updates for version 10.2.9

Date published: 3/6/2019

  • In this release we fixed an RD gateway connectivity issue that can occur when server redirection takes place.
  • We also addressed an RD gateway regression caused by the 10.2.8 update.

Updates for version 10.2.8

Date published: 3/1/2019

  • Resolved connectivity issues that surfaced when using an RD Gateway.
  • Fixed incorrect certificate warnings that were displayed when connecting.
  • Addressed some cases where the menu bar and dock would needlessly hide when launching remote apps.
  • Reworked the clipboard redirection code to address crashes and hangs that have been plaguing some users.
  • Fixed a bug that caused the Connection Center to needlessly scroll when launching a connection.

Updates for version 10.2.7

Date published: 2/6/2019

  • In this release we addressed graphics mispaints (caused by a server encoding bug) that appeared when using AVC444 mode.

Updates for version 10.2.6

Date published: 1/28/2019

  • Added support for the AVC (420 and 444) codec, available when connecting to current versions of Windows 10.
  • In Fit to Window mode, a window refresh now occurs immediately after a resize to ensure that content is rendered at the correct interpolation level.
  • Fixed a layout bug that caused feed headers to overlap for some users.
  • Cleaned up the Application Preferences UI.
  • Polished the Add/Edit Desktop UI.
  • Made lots of fit and finish adjustments to the Connection Center tile and list views for desktops and feeds.

Note

There is a bug in macOS 10.14.0 and 10.14.1 that can cause the '.com.microsoft.rdc.application-data_SUPPORT/_EXTERNAL_DATA' folder (nested deep inside the ~/Library folder) to consume a large amount of disk space. To resolve this issue, delete the folder content and upgrade to macOS 10.14.2. Note that a side-effect of deleting the folder contents is that snapshot images assigned to bookmarks will be deleted. These images will be regenerated when reconnecting to the remote PC.

Updates for version 10.2.4

Date published: 12/18/2018

  • Added dark mode support for macOS Mojave 10.14.
  • An option to import from Microsoft Remote Desktop 8 now appears in the Connection Center if it is empty.
  • Addressed folder redirection compatibility with some third-party enterprise applications.
  • Resolved issues where users were getting a 0x30000069 Remote Desktop Gateway error due to security protocol fallback issues.
  • Fixed progressive rendering issues some users were experiencing with fit to window mode.
  • Fixed a bug that prevented file copy and paste from copying the latest version of a file.
  • Improved mouse-based scrolling for small scroll deltas.

Updates for version 10.2.3

Date published: 11/06/2018

  • Added support for the 'remoteapplicationcmdline' RDP file setting for remote app scenarios.
  • The title of the session window now includes the name of the RDP file (and server name) when launched from an RDP file.
  • Fixed reported RD gateway performance issues.
  • Fixed reported RD gateway crashes.
  • Fixed issues where the connection would hang when connecting through an RD gateway.
  • Better handling of full-screen remote apps by intelligently hiding the menu bar and dock.
  • Fixed scenarios where remote apps remained hidden after being launched.
  • Addressed slow rendering updates when using 'Fit to Window' with hardware acceleration disabled.
  • Handled database creation errors caused by incorrect permissions when the client starts up.
  • Fixed an issue where the client was consistently crashing at launch and not starting for some users.
  • Fixed a scenario where connections were incorrectly imported as full-screen from Remote Desktop 8.

Updates for version 10.2.2

Date published: 10/09/2018

  • A brand new Connection Center that supports drag and drop, manual arrangement of desktops, resizable columns in list view mode, column-based sorting, and simpler group management.
  • The Connection Center now remembers the last active pivot (Desktops or Feeds) when closing the app.
  • The credential prompting UI and flows have been overhauled.
  • RD Gateway feedback is now part of the connecting status UI.
  • Settings import from the version 8 client has been improved.
  • RDP files pointing to RemoteApp endpoints can now be imported into the Connection Center.
  • Retina display optimizations for single monitor Remote Desktop scenarios.
  • Support for specifying the graphics interpolation level (which affects blurriness) when not using Retina optimizations.
  • 256-color support to enable connectivity to Windows 2000.
  • Fixed clipping of the right and bottom edges of the screen when connecting to Windows 7, Windows Server 2008 R2 and earlier.
  • Copying a local file into Outlook (running in a remote session) now adds the file as an attachment.
  • Fixed an issue that was slowing down pasteboard-based file transfers if the files originated from a network share.
  • Addressed a bug that was causing to Excel (running in a remote session) to hang when saving to a file on a redirected folder.
  • Fixed an issue that was causing no free space to be reported for redirected folders.
  • Fixed a bug that caused thumbnails to consume too much disk storage on macOS 10.14.
  • Added support for enforcing RD Gateway device redirection policies.
  • Fixed an issue that prevented session windows from closing when disconnecting from a connection using RD Gateway.
  • If Network Level Authentication (NLA) is not enforced by the server, you will now be routed to the login screen if your password has expired.
  • Fixed performance issues that surfaced when lots of data was being transferred over the network.
  • Smart card redirection fixes.
  • Support for all possible values of the 'EnableCredSspSupport' and 'Authentication Level' RDP file settings if the ClientSettings.EnforceCredSSPSupport user default key (in the com.microsoft.rdc.macos domain) is set to 0.
  • Support for the 'Prompt for Credentials on Client' RDP file setting when NLA is not negotiated.
  • Support for smart card-based login via smart card redirection at the Winlogon prompt when NLA is not negotiated.
  • Fixed an issue that prevented downloading feed resources that have spaces in the URL.

Updates for version 10.2.1

Date published: 08/06/2018

  • Enabled connectivity to Azure Active Directory (AAD) joined PCs. To connect to an AAD joined PC, your username must be in one of the following formats: 'AzureADuser' or 'AzureADuser@domain'.
  • Addressed some bugs affecting the usage of smart cards in a remote session.

Updates for version 10.2.0

Date published: 07/24/2018

  • Incorporated updates for GDPR compliance.
  • MicrosoftAccountusername@domain is now accepted as a valid username.
  • Clipboard sharing has been rewritten to be faster and support more formats.
  • Copy and pasting text, images or files between sessions now bypasses the local machine's clipboard.
  • You can now connect via an RD Gateway server with an untrusted certificate (if you accept the warning prompts).
  • Metal hardware acceleration is now used (where supported) to speed up rendering and optimize battery usage.
  • When using Metal hardware acceleration we try to work some magic to make the session graphics appear sharper.
  • Got rid of some instances where windows would hang around after being closed.
  • Fixed bugs that were preventing the launch of RemoteApp programs in some scenarios.
  • Fixed an RD Gateway channel synchronization error that was resulting in 0x204 errors.
  • The mouse cursor shape now updates correctly when moving out of a session or RemoteApp window.
  • Fixed a folder redirection bug that was causing data loss when copy and pasting folders.
  • Fixed a folder redirection issue that caused incorrect reporting of folder sizes.
  • Fixed a regression that was preventing logging into an AAD-joined machine using a local account.
  • Fixed bugs that were causing the session window contents to be clipped.
  • Added support for RD endpoint certificates that contain elliptic-curve asymmetric keys.
  • Fixed a bug that was preventing the download of managed resources in some scenarios.
  • Addressed a clipping issue with the pinned connection center.
  • Fixed the checkboxes in the Display tab of the Add a Desktop window to work better together.
  • Aspect ratio locking is now disabled when dynamic display change is in effect.
  • Addressed compatibility issues with F5 infrastructure.
  • Updated handling of blank passwords to ensure the correct messages are shown at connect-time.
  • Fixed mouse scrolling compatibility issues with MapInfra Pro.
  • Fixed some alignment issues in the Connection Center when running on Mojave.

Updates for version 10.1.8

Date published: 05/04/2018

  • Added support for changing the remote resolution by resizing the session window!
  • Fixed scenarios where remote resource feed download would take an excessively long time.
  • Resolved the 0x207 error that could occur when connecting to servers not patched with the CredSSP encryption oracle remediation update (CVE-2018-0886).

Updates for version 10.1.7

Date published: 04/05/2018

  • Made security fixes to incorporate CredSSP encryption oracle remediation updates as described in CVE-2018-0886.
  • Improved RemoteApp icon and mouse cursor rendering to address reported mispaints.
  • Addressed issues where RemoteApp windows appeared behind the Connection Center.
  • Fixed a problem that occurred when you edit local resources after importing from Remote Desktop 8.
  • You can now start a connection by pressing ENTER on a desktop tile.
  • When you're in full screen view, CMD+M now correctly maps to WIN+M.
  • The Connection Center, Preferences, and About windows now respond to CMD+M.
  • You can now start discovering feeds by pressing ENTER on the **Adding Remote Resources*- page.
  • Fixed an issue where a new remote resources feed showed up empty in the Connection Center until after you refreshed.

Updates for version 10.1.6

Date published: 03/26/2018

  • Fixed an issue where RemoteApp windows would reorder themselves.
  • Resolved a bug that caused some RemoteApp windows to get stuck behind their parent window.
  • Addressed a mouse pointer offset issue that affected some RemoteApp programs.
  • Fixed an issue where starting a new connection gave focus to an existing session, instead of opening a new session window.
  • We fixed an error with an error message - you'll see the correct message now if we can't find your gateway.
  • The Quit shortcut (⌘ + Q) is now consistently shown in the UI.
  • Improved the image quality when stretching in 'fit to window' mode.
  • Fixed a regression that caused multiple instances of the home folder to show up in the remote session.
  • Updated the default icon for desktop tiles.