Smart cards
Smart cards and equivalent technologies are supported within the guidelines described in this article. To use smart cards with XenApp or XenDesktop:
- Understand your organization’s security policy concerning the use of smart cards. These policies might, for example, state how smart cards are issued and how users should safeguard them. Some aspects of these policies might need to be reassessed in a XenApp or XenDesktop environment.
- Determine which user device types, operating systems, and published applications are to be used with smart cards.
- Familiarize yourself with smart card technology and your selected smart card vendor hardware and software.
- Know how to deploy digital certificates in a distributed environment.
Types of smart cards
Enterprise and consumer smart cards have the same dimensions, electrical connectors, and fit the same smart card readers.
Smart cards for enterprise use contain digital certificates. These smart cards support Windows logon, and can also be used with applications for digital signing and encryption of documents and e-mail. XenApp and XenDesktop support these uses.
Smart cards for consumer use do not contain digital certificates; they contain a shared secret. These smart cards can support payments (such as a chip-and-signature or chip-and-PIN credit card). They do not support Windows logon or typical Windows applications. Specialized Windows applications and a suitable software infrastructure (including, for example, a connection to a payment card network) are needed for use with these smart cards. Contact your Citrix representative for information on supporting these specialized applications on XenApp or XenDesktop.
For enterprise smart cards, there are compatible equivalents that can be used in a similar way.
- A smart card-equivalent USB token connects directly to a USB port. These USB tokens are usually the size of a USB flash drive, but can be as small as a SIM card used in a mobile phone. They appear as the combination of a smart card plus a USB smart card reader.
- A virtual smart card using a Windows Trusted Platform Module (TPM) appears as a smart card. These virtual smart cards are supported for Windows 8 and Windows 10, using Citrix Receiver minimum 4.3.
- Versions of XenApp and XenDesktop earlier than 7.6 FP3 do not support virtual smart cards.
- For more information on virtual smart cards, see Virtual Smart Card Overview.
Note: The term “virtual smart card” is also used to describe a digital certificate simply stored on the user computer. These digital certificates are not strictly equivalent to smart cards.
XenApp and XenDesktop smart card support is based on the Microsoft Personal Computer/Smart Card (PC/SC) standard specifications. A minimum requirement is that smart cards and smart card devices must be supported by the underlying Windows operating system and must be approved by the Microsoft Windows Hardware Quality Labs (WHQL) to be used on computers running qualifying Windows operating systems. See the Microsoft documentation for additional information about hardware PC/SC compliance. Other types of user devices may comply with the PS/SC standard. For more information, refer to the Citrix Ready program at https://www.citrix.com/ready/.
Usually, a separate device driver is needed for each vendor’s smart card or equivalent. However, if smart cards conform to a standard such as the NIST Personal Identity Verification (PIV) standard, it may be possible to use a single device driver for a range of smart cards. The device driver must be installed on both the user device and the Virtual Delivery Agent (VDA). The device driver is often supplied as part of a smart card middleware package available from a Citrix partner; the smart card middleware package will offer advanced features. The device driver may also be described as a Cryptographic Service Provider (CSP), Key Storage Provider (KSP), or minidriver.
The following smart card and middleware combinations for Windows systems have been tested by Citrix as representative examples of their type. However, other smart cards and middleware can also be used. For more information about Citrix-compatible smart cards and middleware, see https://www.citrix.com/ready.
| Middleware | Matching cards |
|---|---|
| ActivClient 7.0 (DoD mode enabled) | DoD CAC card |
| ActivClient 7.0 in PIV mode | NIST PIV card |
| Microsoft mini driver | NIST PIV card |
| GemAlto Mini Driver for .NET card | GemAlto .NET v2+ |
| Microsoft native driver | Virtual Smart Cards (TPM) |
For information about smart card usage with other types of devices, see the Citrix Receiver documentation for that device.
For information about smart card usage with other types of devices, see the Citrix Receiver documentation for that device.
Remote PC Access
Smart cards are supported only for remote access to physical office PCs running Windows 10, Windows 8 or Windows 7; smart cards are not supported for office PCs running Windows XP.
The following smart cards were tested with Remote PC Access:
| Middleware | Matching cards |
|---|---|
| Gemalto .NET minidriver | Gemalto .NET v2+ |
| ActivIdentity ActivClient 6.2 | NIST PIV |
| ActivIdentity ActivClient 6.2 | CAC |
| Microsoft minidriver | NIST PIV |
| Microsoft native driver | Virtual smart cards |
Types of smart card readers
A smart card reader may be built in to the user device, or be separately attached to the user device (usually via USB or Bluetooth). Contact card readers that comply with the USB Chip/Smart Card Interface Devices (CCID) specification are supported. They contain a slot or swipe into which the user inserts the smart card. The Deutsche Kreditwirtschaft (DK) standard defines four classes of contact card readers.
- Class 1 smart card readers are the most common, and usually just contain a slot. Class 1 smart card readers are supported, usually with a standard CCID device driver supplied with the operating system.
- Class 2 smart card readers also contain a secure keypad that cannot be accessed by the user device. Class 2 smart card readers may be built into a keyboard with an integrated secure keypad. For class 2 smart card readers, contact your Citrix representative; a reader-specific device driver may be required to enable the secure keypad capability.
- Class 3 smart card readers also contain a secure display. Class 3 smart card readers are not supported.
- Class 4 smart card readers also contain a secure transaction module. Class 4 smart card readers are not supported.
Note: The smart card reader class is unrelated to the USB device class.
Smart card readers must be installed with a corresponding device driver on the user device.
For information about supported smart card readers, see the documentation for the Citrix Receiver you are using. In the Citrix Receiver documentation, supported versions are usually listed in a smart card article or in the system requirements article.
User experience
Smart card support is integrated into XenApp and XenDesktop, using a specific ICA/HDX smart card virtual channel that is enabled by default.
Important: Do not use generic USB redirection for smart card readers. This is disabled by default for smart card readers, and is not supported if enabled.
Multiple smart cards and multiple readers can be used on the same user device, but if pass-through authentication is in use, only one smart card must be inserted when the user starts a virtual desktop or application. When a smart card is used within an application (for example, for digital signing or encryption functions), there might be additional prompts to insert a smart card or enter a PIN. This can occur if more than one smart card has been inserted at the same time.
- If users are prompted to insert a smart card when the smart card is already in the reader, they should select Cancel.
- If users are prompted for the PIN, they should enter the PIN again.
If you are using hosted applications running on Windows Server 2008 or 2008 R2 and with smart cards requiring the Microsoft Base Smart Card Cryptographic Service Provider, you might find that if a user runs a smart card transaction, all other users who use a smart card in the logon process are blocked. For further details and a hotfix for this issue, see https://support.microsoft.com/kb/949538.
You can reset PINs using a card management system or vendor utility.
Important
Within a XenApp or XenDesktop session, using a smart card with the Microsoft Remote Desktop Connection application is not supported. This is sometimes described as a “double hop” use.
Before deploying smart cards
- Obtain a device driver for the smart card reader and install it on the user device. Many smart card readers can use the CCID device driver supplied by Microsoft.
- Obtain a device driver and cryptographic service provider (CSP) software from your smart card vendor, and install them on both user devices and virtual desktops. The driver and CSP software must be compatible with XenApp and XenDesktop; check the vendor documentation for compatibility. For virtual desktops using smart cards that support and use the minidriver model, smart card minidrivers should download automatically, but you can obtain them from https://catalog.update.microsoft.com or from your vendor. Additionally, if PKCS#11 middleware is required, obtain it from the card vendor.
- Important: Citrix recommends that you install and test the drivers and CSP software on a physical computer before installing Citrix software.
- Add the Citrix Receiver for Web URL to the Trusted Sites list for users who work with smart cards in Internet Explorer with Windows 10. In Windows 10, Internet Explorer does not run in protected mode by default for trusted sites.
- Ensure that your public key infrastructure (PKI) is configured appropriately. This includes ensuring that certificate-to-account mapping is correctly configured for Active Directory environment and that user certificate validation can be performed successfully.
- Ensure your deployment meets the system requirements of the other Citrix components used with smart cards, including Citrix Receiver and StoreFront.
- Ensure access to the following servers in your Site:
- The Active Directory domain controller for the user account that is associated with a logon certificate on the smart card
- Delivery Controller
- Citrix StoreFront
- Citrix NetScaler Gateway/Citrix Access Gateway 10.x
- VDA
- (Optional for Remote PC Access): Microsoft Exchange Server
Enable smart card use
Step 1. Issue smart cards to users according to your card issuance policy.
Step 2. (Optional) Set up the smart cards to enable users for Remote PC Access.
Step 3. Install and configure the Delivery Controller and StoreFront (if not already installed) for smart card remoting.
Step 4. Enable StoreFront for smart card use. For details, see Configure smart card authentication in the StoreFront documentation.
Step 5. Enable NetScaler Gateway/Access Gateway for smart card use. For details, see Configuring Authentication and Authorization and Configuring Smart Card Access with the Web Interface in the NetScaler documentation.
Step 6. Enable VDAs for smart card use.
- Ensure the VDA has the required applications and updates.
- Install the middleware.
- Set up smart card remoting, enabling the communication of smart card data between Citrix Receiver on a user device and a virtual desktop session.
Step 7. Enable user devices (including domain-joined or non-domain-joined machines) for smart card use. See Configure smart card authentication in the StoreFront documentation for details.
- Import the certificate authority root certificate and the issuing certificate authority certificate into the device’s keystore.
- Install your vendor’s smart card middleware.
- Install and configure Citrix Receiver for Windows, being sure to import icaclient.adm using the Group Policy Management Console and enable smart card authentication.
Step 8. Test the deployment. Ensure that the deployment is configured correctly by launching a virtual desktop with a test user’s smart card. Test all possible access mechanisms (for example, accessing the desktop through Internet Explorer and Citrix Receiver).