Configure smart card authentication for Web Interface 5.4

If Citrix Receiver for Windows is installed with a SSON component, pass-through authentication is enabled by default even if the PIN pass-through for smart card is not enabled on the XenApp PNAgent site; the pass-through setting for authentication methods will no longer be effective. The screen below illustrates how to enable smart card as the authentication method when Citrix Receiver for Windows is properly configured with SSON.

See How to Manually install and configure Citrix Receiver for Pass-through Authentication for more information.

COnfigure authentication methods

Use the smart card removal policy to control the behavior for smart card removal when a user authenticates to the Citrix Web Interface 5.4 PNAgent site.

When this policy is enabled, the user is logged off from the XenApp session if the smart card is removed from the client device. However, the user is still logged into Citrix Receiver for Windows.

For this policy to take effect, the smart card removal policy must set in Web Interface XenApp Services site. The settings can be found on Web Interface 5.4, XenApp Services Site > Pass-through with smart card > Enable Roaming > Logoff the sessions when smart card removed. When the smart card removal policy is disabled, the user’s XenApp session is disconnected if the smart card is removed from the client device; smart card removal on the Web Interface XenApp Services site does not have any effect. Note: There are separate policies for 32bit and 64bit clients. For 32bit devices, the policy name is Smartcard Removal Policy (32Bit machine) and for 64bit devices, the policy name is Smartcard Removal Policy (64Bit machine).

sson user authGPO

pnagent properties

Smart card support and removal changes

Consider the following when connecting to a XenApp 6.5 PNAgent site:

  • Beginning with Citrix Receiver for Windows 4.5, smart card login is supported for PNAgent site logins.
  • The smart card removal policy has changed on the PNAgent Site: A XenApp session is logged off when the smart card is removed – if the PNAgent site is configured with smart card as the authentication method, the corresponding policy has to be configured on Receiver for Windows to enforce the XenApp session for logoff. Enable roaming for smart card authentication on the XenApp PNAgent site and enable the smart card removal policy, which logs off XenApp from the Receiver session; the user is still logged into the Receiver session.

Known issue

When a user logs in to the PNAgent site using smart card authentication, the username is displayed as Logged On.

Configure smart card authentication for Web Interface 5.4