Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Run as different user, allow smartcard #480

Open
Bill-Stewart opened this issue May 29, 2018 · 9 comments
Open

Feature request: Run as different user, allow smartcard #480

Bill-Stewart opened this issue May 29, 2018 · 9 comments

Comments

@Bill-Stewart
Copy link

Right now if we choose Run as for a tab and specify a specific user account, we are only asked for a password when we start that tab.

This request is to allow smartcard access in this dialog (not just password).
@cbucher
Copy link
Owner

cbucher commented Jun 4, 2018

image

image

Please, try this documented option.

@Bill-Stewart
Copy link
Author

Bill-Stewart commented Jun 4, 2018
edited
Loading

Thank you. I had that option selected already. The trick is to leave the "run as" username blank in the tab configuration.

I can now authenticate with the smartcard, but when I enter my PIN, I see the following error message, and the new tab does not open:

Unable to create shared objects (reason: (SetEntriesInAcl)No mapping between account names and security IDs was done.
)!

@cbucher
Copy link
Owner

cbucher commented Jun 5, 2018

Have you tried to logon with smartcard account?
Verify if the smartcard account exists in your AD.
Verify your account have permissions to read account properties form AD.

@Bill-Stewart
Copy link
Author

Bill-Stewart commented Jun 5, 2018
edited
Loading

Hi Christophe, thanks for the reply. I use the smartcard to run applications using different credentials on a daily basis from this account, so I can use the smartcard in a normal manner everywhere else.

This is my tab configuration:

image

@cbucher
Copy link
Owner

cbucher commented Jun 8, 2018

Knowing that your smartcard works in other applications is no help.
Smart card only store user/password. You/I don't know what others applications are doing with this account.

Your user account (on witch ConsoleZ is running) cannot create security descriptor for the smartcard account.
To understand why, we must understand :

  • if your account is too limited
    -- this is a domain account ?
    -- this is a local account ?
  • smartcard account has special purpose
    -- can you logon with smartcard account ?
    -- this is a domain account ?

@Bill-Stewart
Copy link
Author

Hi Christophe, thanks. The account that I start ConsoleZ with (my normal logon account) is a domain account but not member of local Administrators group - it is member of local Users group (by virtue of being member of Domain Users, which is member of local Users group).

Smartcard user account is also a domain account, but it is a member of local Administrators group.

I can use my normal logon account account to Shift+right click applications using the smartcard. The SysInternals ShellRunas tool also works.

For example, I can use Shift+right click on a PowerShell icon and choose "Run as different user," insert smartcard, enter PIN, and PowerShell launches as the smartcard user.

@cbucher
Copy link
Owner

cbucher commented Jun 14, 2018

Hi

Can you try this experimental version and report popups you can see during test.

@Bill-Stewart
Copy link
Author

Hi Christophe, when I run this experimental version, I now see three dialog boxes:

image

image

image

@Bill-Stewart
Copy link
Author

I am now running Windows 10, build 1803. Same behavior as documented here (same error message).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbucher @Bill-Stewart