Unable to launch a published resource using SAML due to HIPS protection

Symptoms

Upon launching a published resource using SAML the sign to an RDSH is failing with the error below:

After clicking OK the credentials filled with the NLA service account you've created per RAS SAML prerequisites

On the RDSH you've tried to connect, the scardhooker.log is either missing or contains the following error:

tsagent.log may contain the following string:

Cause

SCardHooker64.exe process is not running.

Antivirus software with HIPS (Host-based Intrusion Prevention System) protection enabled and blocking RAS components, SCardHooker.64.exe and SCardCertLogonHooker.dll. When these files are prohibited from execution, The SCardCertLogonHooker.dll injects into the system's lsass.exe, to login users.

Antivirus software may consider this behavior as malicious activity. The same effect is possible when LSA-protection is enabled via GPO.

Resolution

Exclude RAS components from AV monitoring.


Note that HIPS protection exclusion may require an additional effort. Please contact the AV vendor for further assistance. In the example below, we will show how to configure it in ESET. 

1. Open ESET > Setup > Computer
   
   
    
2. Click on the cogwheel sign next to Host Intrusion Prevention System.
   
   
    
3. in the Rules section click Edit:
   
   
    
4. Click Add on the HIPs rules page:
   
   


5. Configure the rule as follows:
   
   
    
6. Specify SCardHooker.exe as the source application:
   
   
    
7. Check "Modify state of another application" and "Terminate/suspend another application" options:
   
   


8. In the opened window specify C:\Windows\System32\Lsass.exe
   
   
    
9. Restart the server to apply the changes.