Poor Man's Windows Lock Screen on Sun Ray

Before we jump into yet another Windows on Sun Ray subject, a little background information is in order.   If you don't care about the why, go a head and jump directly to the how.

The proper method for locking your Windows session upon smart card removal is to create a group policy in Active Directory for Smart Card Removal Behavior and set it to Lock Screen.   Simple enough.  What's not so simple is all the other work that must be done to your Windows environment just to have that policy take effect.  From CA servers, enrollment stations, and possible 3rd party card management systems it's a lot more than most people care to do if you don't care about PIN based logins, digitally signing email, etc.  Especially if all you want to do is lock the windows screen based on removing your smart card from a Sun Ray running in CAM mode. 

The default functionality of Smart Cards differs greatly between Sun Ray Server and Windows.  Sun Ray focuses on mobility supporting over 180 different types of smart cards with zero setup required out of the box, while Windows focuses on security with quite a bit of work and a very specific set of smart cards to get it working.

Sun Ray introduced a new paradigm for mobile computing with hot desking.  Insert smart card, session appears.  Remove smart cards, session disappears.  Walk to another Sun Ray, insert smart card and session appears on that unit.  Note that hot desking doesn't require smart cards, it just makes it sexier.  Hot desking just requires that some form of "address" (we call it a token) be set so the Sun Ray Server knows where to send the display to and in the case of smart cards we set the session token based off of unique information to the users smart card.

Out of the box, all the smart card is used for in a Sun Ray environment is for hot desking.  No PIN based logins, no two factor authentication, just hot desking.  Not to say that's not possible via 3rd party software such as ActivIdentity or FOSS projects like MUSCLE, it's just not something provided by Sun Ray Server or the operating systems it's deployed on [1].  

One of the really cool features of Sun Ray Server is the utility called utaction.  The utaction program provides a way to execute commands when a Sun Ray DTU session is connected or disconnected.  A smart card being inserted initiates a session connect, and a disconnect is initiated by a smart card removal.  Think of all the fun things you can do based on session connects and disconnects.

Sun Ray Server sets a default utaction to lock your Solaris or Linux session on a session disconnect.  We made this behaviour default in Sun Ray Server 2.0 since people worried about someone losing their smart card and another evil user finding it.  But what about CAM?  CAM users do not have a password and are actually in a locked out status in /etc/passwd.  We don't lock the CAM session since only root would be able to unlock the session.  Since many customers like to use their Sun Rays as Windows based terminals, many folks ask how to lock the windows screen when they remove their smart card. 

The problem with that request is that there is no way to programatically send an event to Windows to tell it to lock the screen, but we can use utaction to send the lock screen keystroke (Windows/Meta Key + L on Windows 2003 or other strokes noted below) to the running Windows desktop session.  There is only one remaining problem, unlike Windows [2] Unix and Linux do not provide a mechanism for sending keystrokes to a waiting application.   But that's nothing a little free software can't fix.

xvkdb is a virtual keyboard from Tom Sato.  You can either use it as on screen keyboard, or you can use it with the -text option to send keystrokes including function keys.  Combine that with utaction, and you have exactly what we need to have a windows session lock screen upon smart card removal from a Sun Ray.

So how can we make a smart card removal lock screen a windows session running on a Sun Ray without fully deploying a Microsoft Smart Card infrastructure? Follow these simple directions:

A setup caveat: 

  • xvkbd requires a window manager, so leave dtsession as an application to launch in CAM.

First you'll need to grab xvkdb.  I found xvkdb a bit hard to compile compared what I'm used to (needed xmkmf and imake...OpenWindows stuff?)  so for the non-geeks out there I've included some compiled binaries for you. 

Note use these at your own risk

xvkbd for Solaris x86
xvkbd for Solaris SPARC

Note that you can always get the lastest source and compile it yourself.

Next we will reate a script called winlock.  What keys you send depend on your version of Windows and the program used to connect to windows.  Windows 2000 doesn't support the Meta +L combination and if you were to use SGD with the native client, it doesn't support the Meta key (regardless of windows version), nor does it honor Ctrl+ALT+DEL.

Depending on how and what version of Windows you are connecting to your script should look like this:

RDesktop or Citrix Connecting to Windows 2003 (or XP)

set -x
# Script to send Windows Lock Screen Sequence (Meta+L) using xvkbd
$XVKBD -text '\\Ml'

RDesktop or Citrix Connecting to Windows 2000

set -x
# Script to send Windows Lock Screen Sequence (Ctrl+Alt+DEL) using xvkbd
$XVKBD -text '\\C\\A\\d'; sleep 1; $XVKBD -text '\\Ak'

SGD Native Client Connecting to Windows 2000/XP/ 2003

set -x
# Script to send Windows Lock Screen Sequence (Ctrl+Alt+End) using xvkbd
$XVKBD -text '\\C\\A\\[End]'; sleep 1; $XVKBD -text '\\Ak'

Finally we will call that script via utaction from your CAM Windows Startup script.  In this example we'll use rdesktop, but this works just as well using Citrix.

# Setup utaction for sending Meta + L (i.e. Windows Screen Lock) Session disconnect
# (i.e Card Removal)
set -x
# This is done using xvkbd from Tom Sato
/opt/SUNWut/lib/utaction -i -d "/opt/SUNWutWBT/bin/winlock" &
# Call RDesktop in Full Screen
/opt/SUNWrdp/bin/rdesktop -a 24 -f -r sound -u ""

[1] Note that the Solaris Smart Card functionality has nothing to do with and is incompatible with Sun Ray.  It used propriety methods for smart card access instead of PC/SC.  Don't try to use this with a Sun Ray.
[2] Those familiar with Windows/DOS world know that it fairly easy to send keystrokes to a waiting application (i.e. the Sendkeys function in vbscript)

Very interesting... (thanks for the info!)

Can you expand this thinking some with respect to SGD?

In other words, can we use utaction to send a "suspend-all+lock" to an SGD-client that we may have users access from a CAM session?

(hmm... that may not work......) This is a case where you really want some sort of screen-saver (tied to your SmartCard or better-yet the running/authenticated-SGD id)

The idea is that someone may have all kinds of sessions/connectsion open from inside the SGD client (that is launched from a CAM session).

When a person pulls their card, we don't want a no-password-required situation happening if that card is inserted elsewhere. I guess one answer could be to "kill the SGD client" when the card is pulled/CAM session is ended, but keeping the SGD session running somehow to facilitate(allow) hot-desking might be a nice way go.

Kindly share your thoughts on such a setup (CAM + HotDeskting + SGD), thanks.

Posted by guest on February 20, 2006 at 01:23 PM PST #

We have used the "tar" to extract the files to the relevant locations, howerver do we need to create a script or have you included one in the compiled version above?

steps we taken

1. copy xvkbd-solaris-x86-compiled.tar.tar to tmp folder

2. mv filename.tar.tar filename.tar.gz

3. tar xvf filename.tar

at this point all files are extracted to ./usr path.

What do we need to configure to make the lock screen function to work when we remove the smartcard?


Posted by nuno on December 02, 2009 at 12:05 PM PST #

Hi Nuno,
You read the whole blog, right? Example scripts on how to call via utaction are at the bottom. You could also try this pre-made add-on:


Posted by Craig Bender on December 03, 2009 at 10:43 AM PST #

Post a Comment:
Comments are closed for this entry.

Think Thin is a collection of bloggers that work with Oracle's Virtual Desktop portfolio of products.


« July 2016