StoreFront

Smart card authentication

Users authenticate using smart cards and PINs when they access their stores. When you install StoreFront, smart card authentication is disabled by default. Smart card authentication can be enabled for users connecting to stores through Citrix Workspace app, web browsers, and XenApp Services URLs.

Use smart card authentication to streamline the logon process for your users while also enhancing the security of user access to your infrastructure. Access to the internal corporate network is protected by certificate-based two-factor authentication using the public key infrastructure. Private keys are protected by hardware controls and never leave the smart card. Your users get the convenience of accessing their desktops and applications from a range of corporate devices using their smart cards and PINs.

You can use smart cards for user authentication through StoreFront to desktops and applications provided by Citrix Virtual Apps and Desktops. Smart card users logging on to StoreFront can also access applications provided by the Endpoint Management. However, users must authenticate again to access Endpoint Management web applications that use client certificate authentication.

To enable smart card authentication, users’ accounts must be configured either within the Microsoft Active Directory domain containing the StoreFront servers or within a domain that has a direct two-way trust relationship with the StoreFront server domain. Multi-forest deployments involving two-way trusts are supported.

The configuration of smart card authentication with StoreFront depends on the user devices, the clients installed, and whether the devices are domain-joined. In this context, domain-joined means devices that are joined to a domain within the Active Directory forest containing the StoreFront servers.

The document Smart card configuration for Citrix environments describes how to configure a Citrix deployment for smart cards uses a specific smart card type. Similar steps apply to smart cards from other vendors.

Prerequisites

  • Ensure that accounts for all users are configured either within the Microsoft Active Directory domain in which you plan to deploy your StoreFront servers or within a domain that has a direct two-way trust relationship with the StoreFront server domain.
  • If you plan to enable pass-through with smart card authentication, ensure that your smart card reader types, middleware type and configuration, and middleware PIN caching policy permit this.
  • Install your vendor’s smart card middleware on the virtual or physical machines running the Virtual Delivery Agent that provide users’ desktops and applications. For more information about using smart cards with Citrix Virtual Desktops, see Smart cards.
  • Ensure that your public-key infrastructure is configured appropriately. Check that certificate to account mapping is configured correctly for your Active Directory environment and that user certificate validation can be performed successfully.

Configure StoreFront

  • You must use HTTPS for communications between StoreFront and users’ devices to enable smart card authentication. See Secure StoreFront using HTTPS.

  • To enable smart card authentication when connecting to a store through Citrix Workspace Apps, in the Authentication Methods tick or untick Smart card.

  • Enabling smart card authentication for a store by default also enables it for all websites for that store. You can independently enable or disable smart card authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.

  • If you configure both smart card and username and password authentication, users are initially prompted to log on using their smart cards and PINs but have the option to select explicit authentication if they experience any issues with their smart cards.

Configure Delivery Controller to trust StoreFront

When using smart card authentication, StoreFront does not have access to the user’s credentials so is unable to authenticate to Citrix Virtual Apps and Desktops. You must therefore configure the Delivery Controller to trust requests from StoreFront, see Citrix Virtual Apps and Desktops Security considerations and best practices.

Remote access via Citrix Gateway

For remote access, you can enable smart card on the Citrix Gateway and then enable pass-through authentication to StoreFront with Delegated authentication. For more details see Gateway pass-through.

To ensure that users do not receive an additional prompt for their credentials at the virtual server when connections to their resources are established, create a second gateway and disable client authentication in the Secure Sockets Layer (SSL) parameters. For more information, see Configuring smart card authentication. When accessing StoreFront via a gateway with Smartcard authentication. Configure optimal Citrix Gateway routing through this virtual server for connections to the deployments providing the desktops and applications for the store. For more information, see Configure optimal HDX routing for a store.

Single sign-on to VDAs

You can enable single sign-on to the VDAs by passing-through users’ smart card credentials. The store can be accessed through a web browser or Citrix Workspace app for Windows but the resource must be opened in Citrix Workspace app for Windows. On other operating systems or when accessing the resources through a browser, users must re-enter their credentials when connecting to a VDA.

  1. Include the Single Sign on component when installing Citrix Workspace for Windows and configure it for Single sign on. See Configure domain pass-through authentication.

  2. Use a text editor to open the default.ica file for the store. See Default ica.

  3. To enable pass-through of smart card credentials for users who access stores without Citrix Gateway, add the following setting in the [Application] section.

    DisableCtrlAltDel=Off

    This setting applies to all users of the store. To enable both domain pass-through and pass-through with smart card authentication to desktops and applications, you must create separate stores for each authentication method. Then, direct your users to the appropriate store for their method of authentication.

  4. To enable pass-through of smart card credentials for users accessing stores through Citrix Gateway, add the following setting in the [Application] section.

    UseLocalUserAndPassword=On

    This setting applies to all users of the store. To enable pass-through authentication for some users and require others to log on to access their desktops and applications, you must create separate stores for each group of users. Then, direct your users to the appropriate store for their method of authentication.

Single sign-on to VDAs using FAS

Alternatively you can configure Federated Authentication Service to single sign-on to VDAs when using locally installed Citrix Workspace app but not Citrix Workspace app for HTML5.

Important considerations

Use of smart cards for user authentication with StoreFront is subject to the following requirements and restrictions.

  • To use virtual private network (VPN) tunnels with smart card authentication, users must install the Citrix Gateway plug-in and log on through a webpage, using their smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the Citrix Gateway plug-in isn’t available for smart card users.

  • Multiple smart cards and multiple readers can be used on the same user device, but if you enable pass-through with smart card authentication, users must ensure that only one smart card is inserted when accessing a desktop or application.

  • When a smart card is used within an application, such as for digital signing or encryption, users might see extra prompts to insert a smart card or enter a PIN. This can occur if more than one smart card has been inserted at the same time. It can also occur due to configuration settings - such as middleware settings like PIN caching that are typically configured using group policy. Users who are prompted to insert a smart card when the smart card is already in the reader must click Cancel. If users are prompted for a PIN, they must enter their PINs again.

  • If you enable pass-through with smart card authentication to Citrix Virtual Apps and Desktops for Citrix Workspace app for Windows users with domain-joined devices who do not access stores through Citrix Gateway, this setting applies to all users of the store. To enable both domain pass-through and pass-through with smart card authentication to desktops and applications, you must create separate stores for each authentication method. Your users must then connect to the appropriate store for their method of authentication.

  • If you enable pass-through with smart card authentication to Citrix Virtual Apps and Desktops for Citrix Workspace app for Windows users with domain-joined devices accessing stores through Citrix Gateway, this setting applies to all users of the store. To enable pass-through authentication for some users and require others to log on to their desktops and applications, you must create separate stores for each group of users. Then, direct your users to the appropriate store for their method of authentication.

  • Only one authentication method can be configured for each XenApp Services URL and only one URL is available per store. If you need to enable other types of authentication in addition to smart card authentication, you must create separate stores, each with a XenApp Services URL, for each authentication method. Then, direct your users to the appropriate store for their method of authentication.

  • When StoreFront is installed, the default configuration in Microsoft Internet Information Services (IIS) only requires that client certificates are presented for HTTPS connections to the certificate authentication URL of the StoreFront authentication service. IIS does not request client certificates for any other StoreFront URLs. This configuration enables you to provide smart card users with the option to fall back to explicit authentication if they experience any issues with their smart cards. Subject to the appropriate Windows policy settings, users can also remove their smart cards without needing to reauthenticate.

    If you decide to configure IIS to require client certificates for HTTPS connections to all StoreFront URLs, the authentication service and stores must be colocated on the same server. You must use a client certificate that is valid for all the stores. With this IIS site configuration, smart card users can’t connect through Citrix Gateway and can’t fall back to explicit authentication. Users must log on again if they remove their smart cards from their devices.

Smart card authentication