M
M
MHEMOHuK2019-11-13 13:43:28
System administration
MHEMOHuK, 2019-11-13 13:43:28

Can't see the USB token when authenticating in a web application, Windows Server 2016 OS. How to win?

For the exchange of tax invoices, the accounting department uses the MEDoc software, where an electronic signature file was used to receive / sign documents. They said that the file is not safe, but the USB token is the very thing. We purchased an Avest PKCS#11 USB token, physically connected it to the server where the MEDoc server part is installed. Users from workstations connect, clients see tokens, there is a choice. And the server itself, OC Windows Server 2016, sees them as "Microsoft Usbccis Smart Card Reader (WUDF)" and "AvestUA AvestKey" Smart Card. Everything would be fine if these keys were used only for working with MEDoc, but they are still used for authorization in personal accounts, which can only be accessed through a Web page, for example, the "Payment Payer Account" from the SFS. In this case, the browser does not see them, nor Chrome, neither Explorer nor FF. If the token is physically connected to the user's PC with WIndows 10, then everything works fine. The support service complains about Microsoft's paranoia and the blocking of browser interaction with tokens in Windows Server, almost at the kernel level. I admit that it is, but I could not find anything intelligible. What are the options: forwarding flash drives to users' PCs, virtualization on a non-Windows Server OS host?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
MHEMOHuK, 2019-11-18
@MHEMOHuK

The solution was found - use VNC :(
And now to the essence of the problem: everything is bad and the RDP client, in particular winscard.dll, is to blame. was local, then smart cards are read from the host, if the login was remote, then from the user's PC. do not see smart cards on the user's PC This also works in the opposite direction, if you logged in via RDP and then connected to this session locally, then it will see smart cards on the user's PC that initiated this session, but not see local .

S
Sergey Ryzhkin, 2019-11-13
@Franciz

I know that Sbis works via a USB key, but it connects to a web form using an add. installed plug-in of their development. You put it and you can enter the LC using the EDS. Probably your web form is not adapted. Or you need some kind of intermediary for work, like Crypto-Pro and analogues.

A
Alexander, 2019-11-13
@UPSA

Chrome, Explorer, FF process cannot access encryption software, such as CryptoPRO. NOT JUST can not get, but should not, otherwise by accessing the site it was possible to launch anything and not only viruses. )))
We need a plug-in in browsers, a layer between the browser and cryptographic software. For example, for CryptoPRO - this is CryptoPro EDS Browser plug-in
UPD
Again, I did not read the question to the end)))
1. gpedit.msc - to help. The security policy prohibits access to physical devices if the user is connected via RDP (very restrictive).
2. License? For example, CryptoPRO client licenses will not work on server operating systems, server licenses are needed.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question