Hi. In my work environment, where I use Dopus, we've recently been required to authenticate all domain admin credentials over our smart cards. Previously, we got away with AD username and passwords but now, I'm unable to browse remote computer file systems.
I was wondering if there is a way to make Dopus ask for smart card credentials when looking to browse UNC paths. If I try now, instead of a UAC prompt, it simply says smart card login is required.
Thanks.
Not something I have any experience of so I'm not sure off the top of my head.
What does Explorer do with the same UNC path?
I'm surprised the normal credentials prompt doesn't work with smart cards automatically if they are in use on the system.
Regular explorer doesn't work either - UNC paths seem to require AD credentials so we've been directed to Explorer++. It seems to be the only program that you can launch as admin, enter smart card admin credentials, and then freely browse UNC paths (It appears to pass through the credentials and authentication method to everything you do).
What's Explorer++ (a free, and otherwise crappy program) doing that nobody else can do?
Of course, I've tried the "admin" button in Dopus and simply launching Dopus as admin with smart card admin creds, but it doesn't treat the authentication the same way as Explorer++ apparently as it will still error out with "smart card login credentials are required but were not used".
I’m confused why you need to launch it as admin. It sounds like Explorer++ isn’t doing anything at all, just that you’re running it elevated (using your smart card to get through the UAC prompt), and then once it’s running elevated you’re able to access your UNC paths. Is that correct?
This is correct but launching Dopus as admin the same way does not permit UNC paths. I don't get a UAC prompt after entering UNC paths now (explorer and 3rd party) but only Explorer++ allows me to browse to UNC after launching as admin (with PIV).
The proper way to do that would be to map a network drive using the admin credentials.
Running the shell or a file manager like Opus as admin is not a good idea as it means:
-
Everything you launch from the file manager is also launched as admin.
-
Nothing else running on the same desktop (unless it is also running as admin) can communicate with the file manager. This breaks all sorts of things.
-
Other things are lost between the 'user' desktop and the 'admin' context; for example, drive letters may be inconsistent between the two. You're running the whole program as another user, so it is potentially not showing your user files. This also includes folders like My Documents, settings used by various shell extensions, and so on.
If you map a drive using the admin credentials then just that drive mapping is using the admin credentials and the programs that access the drive can still run in the normal user context.
You can also use a command like net use \\server\ipc$ to authenticate with a server using specific credentials and then access UNC paths on that server using them from that point on, without having to map a drive letter.
The launch as admin bit was merely an attempt to emulate what Explorer++ was doing.
My usual instance runs as my own user account for the reasons you listed.
Mapping isn't practical for me though as I never know what computer I have to browse to between hundreds of computers, I usually just key it in and authenticate.
Sadly, the only issue with net use \\location\c$ /smartcard is that while it prompts for my PIN.. (as far as I know) it has no way of interacting with the "Password Hint" field. Things get weird here.. we have a GPO that forces a Password Hint under our PIN for all our UAC prompts, based on what we enter as a "hint" determines whether we're accessing our regular account or admin account. Non-admin accounts are usually blank hints, so while that could work with net use, they don't have the required access.
I tried net use without the /smartcard argument, but while cmd says it's successful, I cannot browse to my path in explorer or dopus. That could be another "security feature" our lovely domain admins have in place.
I'll just have to use Explorer++ I think from now on for UNC paths. Unless Dopus can find out how to pass those credentials through the way Explorer++ does.
Thank you.
Explorer++ isn't passing through the credentials. You're running the whole process as another user. It doesn't know anything about what's happening really.
There should be a way to do what you want, but it's more a question about Windows and the way the SmartCard works than about Opus or any particular program. Unfortunately, it's not something I've used before so my knowledge is limited, if the net-use command doesn't work. Asking on SuperUser or a similar forum might be worth a try, to find an expert on the matter.
The net use command probably needs the /u:domain\username argument so it knows who to map as, as well as the arg saying you want to use a smartcard.