Smartcard redirection not working

[wescode]

Describe the bug
I am connecting to a Windows 10 desktop with smartcard passthrough, the desktop runs Activclient. Once connected Activclient freezes trying to read the card. There are times when I can remove and reinsert the card and the card will show up. Then if I try to rdp from the windows machine to another 2019/2012 windows server I get the same errors. From the freerdp logs I am seeing SCARD_E_CANCELLED errors. From the pcscd logs I am seeing rv=SCARD_E_CANCELLED and rv=SCARD_E_SHARING_VIOLATION. I have attached both logs. Please let me know if you need any further information. Thank you.

Expected behavior
The smartcard should be read and not freeze client applications.

Application details

• FreeRDP version: FreeRDP version 2.8.1 (2.8.1

• Command line used: xfreerdp /f /floatbar /microphone /smartcard:SCM /u: /d: /v: /sound -sec-rdp /log-level:trace

• Output of xfreerdp /buildconfig

• Build configuration: BUILD_TESTING=OFF BUILTIN_CHANNELS=ON HAVE_AIO_H=1 HAVE_EXECINFO_BACKTRACE=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS=1 HAVE_EXECINFO_BACKTRACE_SYMBOLS_FD=1 HAVE_EXECINFO_H=ON HAVE_EXECINFO_HEADER=1 HAVE_FCNTL_H=1 HAVE_GETLOGIN_R=1 HAVE_GETPWUID_R=1 HAVE_INTTYPES_H=1 HAVE_JOURNALD_H=TRUE HAVE_MATH_C99_LONG_DOUBLE=1 HAVE_POLL_H=1 HAVE_PTHREAD_MUTEX_TIMEDLOCK=ON HAVE_PTHREAD_MUTEX_TIMEDLOCK_LIBS= HAVE_PTHREAD_MUTEX_TIMEDLOCK_SYMBOL=1 HAVE_SYSLOG_H=1 HAVE_SYS_EVENTFD_H=1 HAVE_SYS_FILIO_H= HAVE_SYS_MODEM_H= HAVE_SYS_SELECT_H=1 HAVE_SYS_SOCKIO_H= HAVE_SYS_STRTIO_H= HAVE_SYS_TIMERFD_H=1 HAVE_TM_GMTOFF=1 HAVE_UNISTD_H=1 HAVE_XI_TOUCH_CLASS=1 WITH_ALSA=ON WITH_CAIRO=ON WITH_CCACHE=ON WITH_CHANNELS=ON WITH_CLANG_FORMAT=ON WITH_CLIENT=ON WITH_CLIENT_AVAILABLE=1 WITH_CLIENT_CHANNELS=ON WITH_CLIENT_CHANNELS_AVAILABLE=1 WITH_CLIENT_COMMON=ON WITH_CLIENT_INTERFACE=OFF WITH_CUPS=ON WITH_DEBUG_ALL=OFF WITH_DEBUG_CAPABILITIES=OFF WITH_DEBUG_CERTIFICATE=OFF WITH_DEBUG_CHANNELS=OFF WITH_DEBUG_CLIPRDR=OFF WITH_DEBUG_DVC=OFF WITH_DEBUG_KBD=OFF WITH_DEBUG_LICENSE=OFF WITH_DEBUG_MUTEX=OFF WITH_DEBUG_NEGO=OFF WITH_DEBUG_NLA=OFF WITH_DEBUG_NTLM=OFF WITH_DEBUG_RAIL=OFF WITH_DEBUG_RDP=OFF WITH_DEBUG_RDPDR=OFF WITH_DEBUG_RDPEI=OFF WITH_DEBUG_RDPGFX=OFF WITH_DEBUG_REDIR=OFF WITH_DEBUG_RFX=OFF WITH_DEBUG_RINGBUFFER=OFF WITH_DEBUG_SCARD=OFF WITH_DEBUG_SND=OFF WITH_DEBUG_SVC=OFF WITH_DEBUG_SYMBOLS=OFF WITH_DEBUG_THREADS=OFF WITH_DEBUG_TIMEZONE=OFF WITH_DEBUG_TRANSPORT=OFF WITH_DEBUG_TSG=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF=OFF WITH_DEBUG_TSMF_AVAILABLE=0 WITH_DEBUG_URBDRC=OFF WITH_DEBUG_WND=OFF WITH_DEBUG_X11=OFF WITH_DEBUG_X11_CLIPRDR=OFF WITH_DEBUG_X11_LOCAL_MOVESIZE=OFF WITH_DEBUG_XV=OFF WITH_DSP_EXPERIMENTAL=OFF WITH_EVENTFD_READ_WRITE=1 WITH_FAAC=OFF WITH_FAAD2=OFF WITH_FFMPEG=OFF WITH_GFX_H264=OFF WITH_GPROF=OFF WITH_GSM=OFF WITH_GSSAPI=OFF WITH_ICU=ON WITH_IPP=OFF WITH_JPEG=ON WITH_LAME=OFF WITH_LIBRARY_VERSIONING=ON WITH_LIBSYSTEMD=ON WITH_MACAUDIO=OFF WITH_MACAUDIO=OFF WITH_MACAUDIO_AVAILABLE=0 WITH_MANPAGES=ON WITH_MBEDTLS=OFF WITH_OPENCL=OFF WITH_OPENH264=OFF WITH_OPENSLES=OFF WITH_OPENSSL=ON WITH_OSS=ON WITH_PAM=ON WITH_PCSC=ON WITH_PROFILER=OFF WITH_PROXY=OFF WITH_PULSE=ON WITH_SAMPLE=OFF WITH_SANITIZE_ADDRESS=OFF WITH_SANITIZE_ADDRESS_AVAILABLE=1 WITH_SANITIZE_MEMORY=OFF WITH_SANITIZE_MEMORY_AVAILABLE=1 WITH_SANITIZE_THREAD=OFF WITH_SANITIZE_THREAD_AVAILABLE=1 WITH_SERVER=ON WITH_SERVER_CHANNELS=ON WITH_SERVER_INTERFACE=ON WITH_SHADOW=ON WITH_SMARTCARD_INSPECT=OFF WITH_SOXR=OFF WITH_SSE2=ON WITH_SWSCALE=OFF WITH_THIRD_PARTY=OFF WITH_VALGRIND_MEMCHECK=OFF WITH_VALGRIND_MEMCHECK_AVAILABLE=1 WITH_VERBOSE_WINPR_ASSERT=ON WITH_WAYLAND=ON WITH_WINPR_TOOLS=ON WITH_X11=ON WITH_XCURSOR=ON WITH_XDAMAGE=ON WITH_XEXT=ON WITH_XFIXES=ON WITH_XI=ON WITH_XINERAMA=ON WITH_XKBFILE=ON WITH_XRANDR=ON WITH_XRENDER=ON WITH_XSHM=ON WITH_XTEST=ON WITH_XV=ON WITH_ZLIB=ON
  Build type: RelWithDebInfo
  CFLAGS: -g -O2 -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Wall -Wno-unused-result -Wno-unused-but-set-variable -Wno-deprecated-declarations -fvisibility=hidden -Wimplicit-function-declaration -Wredundant-decls -g -fno-omit-frame-pointer -DWINPR_DLL
  Compiler: GNU, 12.2.0
  Target architecture: x64

• OS version connecting to (server side): Windows 10

• I've attached freerdp and pcscd logs

Environment (please complete the following information):

• OS: Ubuntu 22.10 - 6.1.11 x64
• pcsc-lite version 1.9.9

Logs:
pcscd_trace.log
freerdp-trace.log

[akallabeth]

@wescode sorry for the delay, smartcard is kind of a hard topic with RDP redirection.
so. might I ask if this feature works if you connect with a mstsc (windows RDP client)?
need that as a baseline to know if we miss something on our side (PCSC lite is not 100% compatible with the windows smarctard layer) or if it just does not work over RDP at all.

[wescode]

@wescode sorry for the delay, smartcard is kind of a hard topic with RDP redirection. so. might I ask if this feature works if you connect with a mstsc (windows RDP client)? need that as a baseline to know if we miss something on our side (PCSC lite is not 100% compatible with the windows smarctard layer) or if it just does not work over RDP at all.

No problem. Yes it works fine if I use windows mstsc. I am currently using a windows VM to do just that until this bug can hopefully be fixed. Thanks.

[akallabeth]

@wescode ok, good to know.
one simple (but kind of wtf) thing you can try is setting /client-build-number:<windows build number>.
the rdp server changes behaviour depending on version it receives, so maybe you´re better off emulating an older windows build. see MS-RDPESC for details

[wescode]

@akallabeth I forgot to include in my original post that I did indeed try several different build numbers and it didn't seem to make a difference.

[wescode]

If there is any other information I can provide in helping debug this issue let me know.

[mmsoft3]

In case some further data for analysis is required, please find attached my trace files.
The client is running FreeBSD 13.1 and I'm connecting to Windows10. This works fine, however I cannot see any devices.
I'm trying to use the smartcard when connecting to a Citrix server - that's where things go wrong and the rdp logs show timeout messages.
When I use a windows-client to connect to the Windows10 machine, everything works fine.
Specifying the client-build-number also has no effect.

pcscd.log
freerdp.log

[akallabeth]

thank you for the logs.
smartcard is kind of hard to debug because:

1. the windows and linux smartcard drivers often differ in feature support for the same hardware (hardware dependent issues)
2. there are subtle differences in data exchanged (sometimes, horray for heisenbugs)
3. there are subtle differences in API
4. there are RDP protocol requirements pcsc-lite can not support fully
5. you have RDP protocol differences depending on /client-build-number
6. each software uses different means to access a smartcard

I don´t know if I can find something here, as I don´t exactly know how the calls should look like in your case, but maybe the listing above can help to identify additional data that can be gathered to debug this.

(ideal would be a call trace on the windows side with mstsc remoting the smartcard both, client OS and server OS side so we know how the calls should look like)

[mmsoft3]

I can try to create some traces on windows machines. However I do not know how I would do this.
Do you have a hint how to create useful mstsc traces?

[akallabeth]

@mmsoft3 sorry, no I don´t know. but you should not trace mstsc but the PCSC API calls on windows.

[WingsLikeEagles]

Not sure how helpful this is, but I noticed in the buildconfig posted above (way above), it shows
WITH_SMARTCARD_INSPECT=OFF

[akallabeth]

@WingsLikeEagles no, that is a debugging option (log all smartcard calls)

[wescode]

Reviving this as I would still like to use smartcard redirection at some point so I can ditch the windows VM :) Is there any other information I can provide to help further debug this issue? I did compile the 3.0 beta, but still had the same results.

[mmsoft3]

I tried to investigate the issue a bit further.
Currently, I think at least my issue might be a problem with pcscd and my smart card.
Even when connecting the sc reader directly to a linux machine with citrix installed, the smart card does not work correctly.

My temporary solution to this issue is sharing the USB device over network with usbip.
In this scenario, I can import the virtual USB device to the Windows VM running Citrix.
This gives some flexibility, however I still cannot get rid of the Windows VM as a Citrix client.

[akallabeth]

@mmsoft3 base requirement is a working smartcard with pcscd. only alternative (if you have the key/cert) is a emulated smartcard (freerdp can be compiled with support for that) or the virtual smartcard for linux