PIV Manager cannot detect local USB devices when in a RDP session, uses remote USB instead.

[R-Adrian]

ok, i finally managed to make the certificates usable in windows on both my computers (issue #24), but...

when i am connected via remote desktop to my laptop, PIV manager cannot detect the locally-connected Yubikey 4 and will instead use remote USB via RDP, it detects and manages the key connected via USB at the remote (RDP Client) USB controlling computer instead of the locally-connected key (on the RDP Server)

Remote USB is sometimes useful, but not always - please allow us to select WHICH USB devices to manage or at least do not ignore devices connected to the RDP server's local ports if PIV manager is running with administrative rights. It might or might not be advisable to allow access to locally-connected tokens on the RDP server for non-elevated users, but for adminstrative use this is necessary when setting up the security key(s) that are connected directly on the RDP server device... i'd have to use 3rd party tools like TeamViewer or RealVNC to avoid such remote USB functions but then it's less secure.

set-up:

• laptop with windows 10 Pro used as RDP server (build 17133.73, Windows 10 1803 insider edition, updated it during this testing to build 17134.1 - no difference in behaviour seen for PIV Manager between the two OS builds)
• PIV manager v1.4.2d running on the RDP server
• remote client: desktop computer with windows 10 pro (build 1709 16299.402)
• yubico minifilter driver v3.7.0.152 on the RDP Server, Identity Device (NIST SP 800-73 [PIV]) minifilter driver on the RDP client.
• yubikey 4 (let's call it YK4-A) connected via USB directly on the RDP server
• another yubikey 4 (let's call it YK4-B) connected via USB on the remote client and configured with different PIV test certificates than those on YK4-A

When YK4-B is not plugged in then PIV Manager that's running on the RDP server cannot detect that YK4-A is connected locally on the laptop and will complain that no key is connected.

When i connect YK4-B to the remote computer, then PIV manager that is running on the RDP server will detect the key as if it was connected locally directly to the RDP server's USB ports and manages the key normally, ignoring the fact that YK4-A is also present and directly connected to an USB port on the RDP server.

When i configure the remote desktop client to not forward USB via RDP (every checkbox under "local devices and resources" is left as NOT checked in the client's configuration) then PIV Manager even if it's running elevated with administrative rights on the computer acting as RDP server tells me it cannot detect ANY Yubikey 4, even if both the RDP Server and the remote desktop have one yk4 connected. At this point i wouldn't expect it to use the remote key, but at least the local (on the RDP server) key should be usable, right?

[dagheyman]

Thanks for the detailed description of the two different RDP use cases, it's something we'll consider in the tooling moving forward. Current behavior over RDP is more of a consequence of how smart cards can be forwarded on Windows, not a feature the tool was designed to support.