Mac OSX

At my work we are required to use Smart Card to login to our systems. It works fine as long as we are logging on to our Macs or our Windows Desktops. Even if we use Remote Desktop connection from our Windows desktops to other Windows machines, it works without any issues. The problem occurs when we try to logon to Windows machines from Macs. There aren’t many Remote Desktop client options available for Mac that support Smart Card redirection. Even Microsoft Remote Desktop client on Mac currently does not support Smart Card redirection. I found a nice client Royal TSX that supports Smart Card redirection and it works fine. Actually it worked fine until Windows 7 and Windows 2012 Server. It stopped working with Windows 8 and Windows 2012 R2. It looks like Microsoft has changed the behavior of Smart Card service in Windows 8 and Windows 2012 R2. When I try to logon to Windows 2012 R2 Server or Windows 8 from Mac using Remote Desktop, I get the error “No valid certificates were found on this smart card” as shown below.

hmmm. The workaround I used for this was to connect to my Windows 7 Virtual Desktop and from there connect to Windows 8, Windows 10 or Windows 2012 R2 machines. This was an ok workaround until recently when my Virtual Desktop was upgraded to Windows 10. I was expecting that this Smart Card issue would have been resolved in Windows 10 but Windows 10 has the same issue. After doing some research online I found out that Microsoft has changed how Smart Card service behaves in Windows 8 and later. The Smart Card service only starts when it detects the Smart Card reader. It looks like when I Remote Desktop from Mac to the Windows machine the Windows machine is unable to detect the Smart Card and therefore the service does not start. I tested it by manually starting the Smart Card service and I was then able to logon to the machine. Now the problem is how can I make sure to start the service when I am connecting via Remote Desktop. I noticed that when I connect using Remote Desktop, the event viewer logs an event “9027” in Application Logs, as shown below.

Now I think that I can use this event and use task scheduler to start the Smart Card service whenever there is this event in the Application Log.

I started the Task Scheduler and created a new Task by using the steps below.

Start Task Scheduler, right-click on Task Scheduler Library and then click on Create Task

Name the task whatever you want, I used “Start Smart Card Service”.

Make sure to use the options as shown in the picture above.

“When running the task, use the following user account:” needs to be set to “SYSTEM”. We want this task to run as SYSTEM user.

“Run whether user is logged on or not” needs to be selected. We want this task to run whether any user is logged on or not.

“Run with highest privileges” needs to be checked. We want this task to run with highest privileges. The task may run fine without checking this box, but I just checked it so that it doesn’t fail because of the lack of any permissions etc.

Now go to “Triggers” tab

Here click on “New” button to create a new trigger. You will see the following window

Click on the dropbox next to “Begin the task:” and select “On an event”. We want to start the task on an event.

Now in the “Log:” dropbox, select Application

In the “Source:” dropbox, select “Desktop Window Manager”

and in the “Event ID:”, type “9027”.

We saw from the Event Viewer log that the log type of “Application”, Source is “Desktop Window Manager” and Event ID is “9027”. So, we want this task to run on this event only. Now click on “OK” and you will see this trigger added.

Now go to Actions tab

Click on “New” button to add an action.

In the “Program/script:”, type “net”. In the “Add arguments (optional):”, type “start scardsvr”. i.e. we want to run “net start scardsvr” to start the Smart Card service. Now click on “OK” to close this window. Everything else can be left as default so you can click on “OK” again to close the properties window.

Now your task is setup and will show up in the list of tasks. This task should start the Smart Card service whenever you connect using Remote Desktop Connection.

Try it, when you connect using Remote Desktop, it should now read the smart card and ask you to enter your PIN, after entering the PIN you should be able to logon to your Windows 10 machine. If it doesn’t work, try taking out the smart card and inserting it again.

Now this resolved my issue with connecting to my Windows 10 Virtual Desktop from my Mac Desktop. But later on I faced another issue, when I lock my Windows 10 machine, after sometime it stops accepting my Smart Card and gives me either “No valid certificates were found on this smart card” or “The requested key container does not exist on the smart card” error. I haven’t found a workaround for this and am still looking to see what event it generates to maybe trigger my task on that event too. But for now, whenever I receive these errors while trying to unlock my Windows 10 machine, I just disconnect the session and reconnect and it works fine. I will update my post if I am able to develop a workaround for this.

This workaround should work on Windows 2012 R2 also, the difference is that Windows 2012 R2 server may generate some other event in the event log other than “9027” and you would have to look for that and configure your task to trigger on that event instead.

If you need help, please don’t hesitate to contact me. I would also like to request that if you find a better workaround, please let me know.

Until Microsoft or Apple (whoevers the issue is) resolves this issue, I am using this workaround.

 

Thanks for reading my post!

 

 

I recently heard from my colleague that Powershell has been released on Mac OSX and Linux. I wanted to give it a try since I have been using Mac since a few years and have also been using the shell commands. I have worked on several Linux systems in the past several years. I started using Linux when it was all text/shell based and there was no GUI. Therefore I am very comfortable using shell on Linux. Since OSX is very similar to BSD and BSD is a Unix operating system.

I have used Powershell a lot in Windows systems and was excited to try it on my Mac as well as Linux. I thought about writing this article to help others who want to install it and test it on their Mac systems. If time permits, I will also try it on a Linux system and post an article for that.

Installation

So, let’s start with the Powershell for Mac OSX. First you need to download the pkg file from here. Then you can either open the terminal and run the following command:

sudo installer -pkg powershell-x.x.x.pkg -target /

Replace x.x.x with the version no. of the file you downloaded.

Or you can just double-click the powershell-x.x.x.pkg file. When I ran the above command I got the following error:

xxxxx is not in the sudoers file. This incident will be reported.

It is pretty easy to resolve this issue. Open “System Preferences”, Click on “Users & Groups”. Select your account, click the lock button on bottom left to unlock it (it will ask you for administrator credentials), then check “Allow user to administer this computer”. Please see the figure below.

After this you should be able to run the command mentioned above to install Powershell. If you decide to go with the easier route, just double-click on the file to install it. When I tried this, I got the following error:

It is easy to resolve this error. Open “System Preferences”, Click on “Security & Privacy”. Click the lock button on bottom left to unlock it. Then click on “Open Anyway”. See the image below:

Another way of making it work is to control+click on the .pkg file. The installation will start and you just have to follow the prompts.

After this you would see a prompt to provide the credentials for administrative privileges and then click on “Install Software”. In a few seconds it will be install and you will get the following prompt:

Now you can click on the “Close” button. Powershell is now installed, you can open the Terminal and type Powershell to launch the powershell process. You will then see the powershell PS prompt. You can run the $PSVersionTable command to see the versions.  You can use the tab button to complete the command like in Windows. Type $psver and press the tab button and you will see that it will complete the command and also change the case, it will complete the command as $PSVersionTable.

You can run Get-Command to see a list of the commands available and Get-Module to see a list of the modules available. Run sw_vers to get the version information.

You can now enjoy exploring Powershell on your Mac.

 

Uninstallation

Powershell on Mac OSX must be uninstalled manually. To remove the package, run the following command:

sudo rm -rf /usr/local/bin/powershell /usr/local/microsoft/powershell

 

When I upgraded my Macbook to Mavericks, I started having problems with my VPN. Network Connect client started failing to launch or install. I went online and started searching for a solution. I found the solution to allow Network Connect to launch or install. I was able to connect to my VPN but then I faced another issue. After a few minutes Network Connect seemed to stop routing traffic on VPN tunnel. I search online and found out there are people having this issue but found no solution to it. I started researching the cause and finally was able to create a solution myself that I would like to share with you all.

So, actually there are two issues with Network Connect and Mavericks.

Issue No. 1:

Network Connect fails to launch or install.

Solution:

This solution available on forums etc.  What you need to do is go to Safari menu, then Security / Manage Website settings then go down to Java plugin. Select the URL of your VPN and set it to run in Unsafe mode / Always allow.

Issue No. 2:

Network Connect stops forwarding traffic to the VPN Tunnel after a few minutes.

Solution:

What I found out was that the OSX was losing ARP entry for the gateway after a few minutes and therefore stopped forwarding any traffic. I went ahead and wrote a small script myself. What this script does is that it saves the current ARP entry for the gateway in a variable and then refreshes the ARP tables with this entry every second. So even if OSX loses the ARP entry for the gateway, this scripts puts it back and the traffic keeps on flowing. I have tested this script on a few Macbooks and it works fine. Juniper says they will be releasing a new version of Network Connect that will fix this issue, until then this script is a good workaround.

What you need to do is that before starting up your VPN connection do the following:

  • Open Terminal Window
  • Type “sudo su -“, then enter your user password when you see the password prompt
  • run “./arprefresh.sh”
  • Leave the Terminal Window open and start your VPN
  • DO NOT CLOSE TERMINAL WINDOW, leave it running while you work on the VPN

If this script works for you and solves your issue, please leave a comment.

Download the script below