- About Citrix Receiver for Mac 12.4
- System requirements
- Requirements for Smart card authentication
- Installing, setting up, upgrading, deploying, or uninstalling Citrix Receiver for Mac
- Configuring Citrix Receiver for Mac
- Optimizing your Citrix Receiver for Mac environment
- Improving the user experience in Citrix Receiver for Mac
- Securing Citrix Receiver for Mac communications
Requirements for Smart card authentication
Dec 06, 2016
Citrix Receiver for Mac supports Smart card authentication in the following configurations:
- Smart card authentication to Receiver for Web/StoreFront 2.x and newer, and XenDesktop 7.1 and newer or XenApp 6.5 and newer using browser-based access.
- Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office, allow users to digitally sign or encrypt documents available in virtual desktop or application sessions.
- With multiple certificates— Citrix Receiver for Mac supports using multiple certificates with a single smart card or with multiple Smart cards. When your user inserts a Smart card into a card reader, the certificates are available to all applications running on the device, including Citrix Receiver for Mac.
In double-hop sessions—if a double-hop is required, a further connection is established between Citrix Receiver for Mac and your user's virtual desktop.
About Smart card authentication to NetScaler
When using a Smart card to authenticate a connection when there are multiple usable certificates on the smart card, Citrix Receiver for Mac prompts you to select a certificate. Upon selecting a certificate, Citrix Receiver for Mac prompts you to enter the smart card password; once authenticated, the session launches.
If there is only one suitable certificate on the Smart card, Citrix Receiver for Mac uses that certificate and will not prompt you to select it. However, you must still enter the password associated with the Smart card to authenticate the connection and to start the session.
Specifying a PKCS#11 module for Smart card authentication
Note: Installing PKCS#11 module is not mandatory.
To specify PKCS#11 module for Smart card authenticaiton:
- In Citrix Receiver, select Preferences.
- Click Security & Privacy.
- In the Security & Privacy section, click Smart Card.
- In the PKCS#11 field, select the appropriate module; click Other to browse to the location of the PKCS#11 module if the desired one is not listed.
- After selecting the appropriate module, click Add.
Supported readers, middleware, and smart card profiles
Citrix Receiver for Mac supports most Mac OS X compatible Smart card readers and cryptographic middleware. Citrix has validated operation with the following.
Supported readers:
- Common USB connect Smart card readers
Supported middleware:
- Clariify
- Activeidentity client version
- Charismathics client version
Supported Smart cards:
- PIV cards
- Common Access Card (CAC)
- Gemalto .NET cards
Follow the instructions provided by your vendor’s Mac OS X compatible Smart card reader and cryptographic middleware for configuring user devices.
Restrictions
- Certificates must be stored on a Smart card, not on the user device.
- Citrix Receiver for Mac does not save the user certificate choice.
- Citrix Receiver for Mac does not store or save the user’s Smart Card PIN. PIN acquisitions is handled by the OS, which may have its own caching mechanism.
- Citrix Receiver for Mac does not reconnect sessions when a Smart card is inserted.
- To use VPN tunnels with smart card authentication, users must install the NetScaler Gateway Plug-in and log on through a web page, using their Smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the NetScaler Gateway Plug-in is not available for Smart card users.