Our organization requires smart card authentication or certificates for logging into any systems within our environment. Since smart cards are required, users have no password that they can use for logon to the Remote Desktop website. The smart card required option is critical to our security model and cannot be changed. When users travel they take a standalone laptop that is not part of our domain. We need users to VPN in and access the website to get a pool machine assignment. All of this works fine until users get to the RDWEB site. They get prompted for a user name and password even though they don't have have a password. We need them to authenticate with their smart card. What can we do to make this work?
Passwords seem like a huge vulnerability to be required for a component that might be placed in a DMZ. If a smart card cannot be used, can we put a certificate on the box instead for authentication? A user typed password will not work for us.
We do not want the laptop users take with them to require the domain for authentication. We are not looking for single sign on. The laptop is not being granted any access through the VPN to any system other than the Remote access Gateway and Web site.
Server is Windows Server 2012 running Remote Desktop Services. Pool is using Windows 7 systems. Clients are Windows 7 as well.