Upon launching a published resource using SAML the sign to an RDSH is failing with the error below:
After clicking OK the credentials filled with the NLA service account you've created per RAS SAML prerequisites
On the RDSH you've tried to connect, the scardhooker.log is either missing or contains the following error:
tsagent.log may contain the following string:
SCardHooker64.exe process is not running.
Antivirus software with HIPS (Host-based Intrusion Prevention System) protection enabled and blocking RAS components, SCardHooker.64.exe and SCardCertLogonHooker.dll. When these files are prohibited from execution, The SCardCertLogonHooker.dll injects into the system's lsass.exe, to login users.
Antivirus software may consider this behavior as malicious activity. The same effect is possible when LSA-protection is enabled via GPO.
Exclude RAS components from AV monitoring.
Note that HIPS protection exclusion may require an additional effort. Please contact the AV vendor for further assistance. In the example below, we will show how to configure it in ESET.
- Open ESET > Setup > Computer
- Click on the cogwheel sign next to Host Intrusion Prevention System.
- in the Rules section click Edit:
- Add ParallelsScardHooker.dll (default path is "C:\Program Files (x86)\Parallels\ApplicationServer\x64\SCardHooker64.dll"):
- Configure the rule as follows:
- Specify SCardHooker.exe as the source application:
- Check "Modify state of another application"
- In the opened window specify C:\Windows\System32\Lsass.exe
- Restart the server to apply the changes.