Environment:
- FreeRDP: master - db04bac
- sspi-rs: master - 82d8bba.
- Windows Server 2025 Standard Evaluation Version: 24H2, OS build: 26100.7462 [VM]
- Server: Windows 11 Pro Version: 25H2, OS build: 26200.7462 [VM]
- Client:
- Mac mini: M1, 2020: macOS: Tahoe 26.2, Chip: Apple M1 [real device]
- Mac mini 2018: macOS: Sonoma 14.8.1 [real device]
- YubiKey 5 Nano (firmware: 5.4.3, Serial: 13835981)
Preconditions:
- Windows Server 2025 VM is configured and launched:
- set up and configure Active Directory
- set up and configure DNS server
- aet up and configure Certification Authority
- set up and configure certificate template for the RDP smartcard logon
- create a user for the domain-joined machine
- Domain-joined Windows 11 VM is configured and launched:
- join WIndows 11 to our domain
- allow RDP access
- disable NTLM to make sure that we always use Kerberos for NLA and not NTLM
- YubiKey minidriver installed
- Smart card device (YubiKey with supporting PIV) is configured:
- set up Yubikey 5 Nano with enrolled certificate
- macOS machine with connected smart card is configured and launched:
- macOS with libykcs11.dylib installed
- set up environment variables, pay attention that environment variables are not set: "WINSCARD_SMARTCARD_CONTAINER_NAME" and "INSCARD_CERTIFICATE_FILE_PATH": :
SSPI_PKCS11_MODULE_PATH - <path/to/libykcs11.dylib module>
SSPI_KDC_URL -
SSPI_LOG_LEVEL - trace
SSPI_LOG_PATH - <path/to/logfile>
SSPI_SCARD_TYPE - system
WINSCARD_USE_SYSTEM_SCARD - true
Steps:
- Open terminal on the macOS machine
- Launch FreeRDP session using command:
./sdl-freerdp /v:VDP-WIN11P-25H2.qaexample.com /u:joe-moon /d:qaexample.com /p:123456 /smartcard-logon /sec:nla /cert:ignore /log-level:TRACE /auth-pkg-list:!ntlm,kerberos /sspi-module:/Users/user/Desktop/FreeRDP_19-12-2025/Users/user/Documents/projects/sspi-rs/target/debug/libsspi.dylib /kerberos:pkcs11-module:"/opt/homebrew/lib/libykcs11.2.7.2.dylib" /winscard-module:/Users/user/Desktop/FreeRDP_19-12-2025/Users/user/Documents/projects/sspi-rs/target/debug/libsspi.dylibb > rdp.out.log
Actual Result: FreeRDP session not connected if launching session without environment variables: "WINSCARD_SMARTCARD_CONTAINER_NAME" and "INSCARD_CERTIFICATE_FILE_PATH", see log in attach: freeRDP_not_launched_if_no_container-cert_paths.mp4, sspi.log, rdp.out.log
Expected Result: The FreeRDP connection should be established successfully if launching session without environment variables: "WINSCARD_SMARTCARD_CONTAINER_NAME" and "INSCARD_CERTIFICATE_FILE_PATH".
https://github.com/user-attachments/assets/5db28b01-e35d-436d-bc8f-63a705d6b546
sspi.log
rdp.out.log
Environment:
Preconditions:
SSPI_PKCS11_MODULE_PATH - <path/to/libykcs11.dylib module>
SSPI_KDC_URL -
SSPI_LOG_LEVEL - trace
SSPI_LOG_PATH - <path/to/logfile>
SSPI_SCARD_TYPE - system
WINSCARD_USE_SYSTEM_SCARD - true
Steps:
./sdl-freerdp /v:VDP-WIN11P-25H2.qaexample.com /u:joe-moon /d:qaexample.com /p:123456 /smartcard-logon /sec:nla /cert:ignore /log-level:TRACE /auth-pkg-list:!ntlm,kerberos /sspi-module:/Users/user/Desktop/FreeRDP_19-12-2025/Users/user/Documents/projects/sspi-rs/target/debug/libsspi.dylib /kerberos:pkcs11-module:"/opt/homebrew/lib/libykcs11.2.7.2.dylib" /winscard-module:/Users/user/Desktop/FreeRDP_19-12-2025/Users/user/Documents/projects/sspi-rs/target/debug/libsspi.dylibb > rdp.out.log
Actual Result: FreeRDP session not connected if launching session without environment variables: "WINSCARD_SMARTCARD_CONTAINER_NAME" and "INSCARD_CERTIFICATE_FILE_PATH", see log in attach: freeRDP_not_launched_if_no_container-cert_paths.mp4, sspi.log, rdp.out.log
Expected Result: The FreeRDP connection should be established successfully if launching session without environment variables: "WINSCARD_SMARTCARD_CONTAINER_NAME" and "INSCARD_CERTIFICATE_FILE_PATH".
https://github.com/user-attachments/assets/5db28b01-e35d-436d-bc8f-63a705d6b546
sspi.log
rdp.out.log