Configure smart card authentication

Citrix Receiver for Windows supports the following smart card authentication features. For information about XenDesktop and StoreFront configuration, refer to the documentation for those components. This topic describes Citrix Receiver for Windows configuration for smart cards.

  • Pass-through authentication (single sign-on) - Pass-through authentication captures smart card credentials when users log on to Citrix Receiver for Windows. Citrix Receiver for Windows uses the captured credentials as follows:

    • Users of domain-joined devices who log on to Citrix Receiver for Windows with smart card credentials can start virtual desktops and applications without needing to re-authenticate.
    • Users of non-domain-joined devices who log on to Citrix Receiver for Windows with smart card credentials must enter their credentials again to start a virtual desktop or application.

    Pass-through authentication requires StoreFront and Citrix Receiver for Windows configuration.

  • Bimodal authentication - Bimodal authentication offers users a choice between using a smart card and entering their user name and password. This feature is useful if the smart card cannot be used (for example, the user has left it at home or the logon certificate has expired). Dedicated stores must be set up per site to allow this, using the DisableCtrlAltDel method set to False to allow smart cards. Bimodal authentication requires StoreFront configuration. If NetScaler Gateway is present in the solution, is also requires configuration.

    Bimodal authentication also now gives the StoreFront administrator the opportunity to offer the end user both user name and password and smart card authentication to the same store by selecting them in the StoreFront Console. See StoreFront documentation.

  • Multiple certificates - Multiple certificates can be available for a single smart card and if multiple smart cards are in use. When a user inserts a smart card into a card reader, the certificates are available to all applications running on the user device, including Citrix Receiver for Windows. To change how certificates are selected, configure Citrix Receiver for Windows.

  • Client certificate authentication - Client certificate authentication requires NetScaler Gateway and StoreFront configuration.

    • For access to StoreFront resources through NetScaler Gateway, users might have to re-authenticate after removing a smart card.
    • When the NetScaler Gateway SSL configuration is set to mandatory client certificate authentication, operation is more secure. However mandatory client certificate authentication is not compatible with bimodal authentication.
  • Double hop sessions -If a double-hop is required, a further connection is established between Receiver and the user’s virtual desktop. Deployments supporting double hops are described in the XenDesktop documentation.

  • Smart card-enabled applications - Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office, allow users to digitally sign or encrypt documents available in virtual desktop or application sessions.

Prerequisites

This topic assumes familiarity with the smart card topics in the XenDesktop and StoreFront documentation.

Limitations

  • Certificates must be stored on a smart card, not the user device.
  • Citrix Receiver for Windows does not save the user certificate choice, but can store the PIN when configured. The PIN is only cached in non-paged memory for the duration of the user session and is not stored to disk at any point.
  • Citrix Receiver for Windows does not reconnect sessions when a smart card is inserted.
  • When configured for smart card authentication, Citrix Receiver for Windows does not support virtual private network (VPN) single-sign on or session pre-launch. To use VPN tunnels with smart card authentication, users must install the NetScaler Gateway Plug-in and log on through a web page, using their smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the NetScaler Gateway Plug-in is not available for smart card users.
  • Citrix Receiver for Windows Updater communications with citrix.com and the Merchandising Server is not compatible with smart card authentication on NetScaler Gateway.

Warning

Some of the configuration described in this topic include registry edits. Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.

To enable single sign-on for smart card authentication

To configure Citrix Receiver for Windows, include the following command-line option when you install it:

  • ENABLE_SSON=Yes

    Single sign-on is another term for pass-through authentication. Enabling this setting prevents Citrix Receiver for Windows from displaying a second prompt for a PIN.

Alternatively, you can perform the configuration through these policy and registry changes:

  • Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication > Local user name and password

  • Set SSONCheckEnabled to false in either of the following registry keys if the single sign-on component is not installed. The key prevents the Citrix Receiver for Windows authentication manager from checking for the single sign-on component, thus allowing Citrix Receiver for Windows to authenticate to StoreFront.

    HKEY_CURRENT_USER\Software\Citrix\AuthManager\protocols\integratedwindows\

    HKEY_LOCAL_MACHINE\Software\Citrix\AuthManager\protocols\integratedwindows\

Alternatively, it is possible to enable smart card authentication to Storefront instead of Kerberos. To enable smart card authentication to StoreFront instead of Kerberos, install Citrix Receiver for Windows with the command line options below. This requires administrator privileges. The machine does not need to be joined to a domain.

  • /includeSSON installs single sign-on (pass-through) authentication. Enables credential caching and the use of pass-through domain-based authentication.

  • If the user is logging on to the endpoint with a different method to smart card for Receiver authentication (for example, user name and password), the command line is:

    pre codeblock /includeSSON LOGON_CREDENTIAL_CAPTURE_ENABLE=No

    This prevents the credentials being captured at log on time and allows Citrix Receiver for Windows to store the PIN when logging on to Citrix Receiver for Windows.

  • Go to Policy > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User Authentication > Local user name and password.

    Enable pass-through authentication. Depending on the configuration and security settings, you may need to select the Allow pass-through authentication for all ICA option for pass-through authentication to work.

To configure StoreFront:

  • When you configure the authentication service, select the Smart card check box.

For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront documentation.

To enable user devices for smart card use

  1. Import the certificate authority root certificate into the device’s keystore.
  2. Install your vendor’s cryptographic middleware.
  3. Install and configure Citrix Receiver for Windows.

To change how certificates are selected

By default, if multiple certificates are valid, Citrix Receiver for Windows prompts the user to choose a certificate from the list. Alternatively, you can configure Citrix Receiver for Windows to use the default certificate (per the smart card provider) or the certificate with the latest expiry date. If there are no valid logon certificates, the user is notified, and given the option to use an alternate logon method if available.

A valid certificate must have all of these characteristics:

  • The current time of the clock on the local computer is within the certificate validity period.
  • The Subject public key must use the RSA algorithm and have a key length of 1024, 2048, or 4096 bits.
  • Key Usage must contain Digital Signature.
  • Subject Alternative Name must contain the User Principal Name (UPN).
  • Enhanced Key Usage must contain Smart Card Logon and Client Authentication, or All Key Usages.
  • One of the Certificate Authorities on the certificate’s issuer chain must match one of the permitted Distinguished Names (DN) sent by the server in the TLS handshake.

Change how certificates are selected by using either of the following methods:

  • On the Citrix Receiver for Windows command line, specify the option AM_CERTIFICATESELECTIONMODE={ Prompt SmartCardDefault LatestExpiry }.

    Prompt is the default. For SmartCardDefault or LatestExpiry, if multiple certificates meet the criteria, Citrix Receiver for Windows prompts the user to choose a certificate.

  • Add the following key value to the registry key HKCU or HKLM\Software\[Wow6432Node\]Citrix\AuthManager: CertificateSelectionMode={ Prompt SmartCardDefault LatestExpiry }.

    Values defined in HKCU take precedence over values in HKLM to best assist the user in selecting a certificate.

To use CSP PIN prompts

By default, the PIN prompts presented to users are provided by Citrix Receiver for Windows rather than the smart card Cryptographic Service Provider (CSP). Citrix Receiver for Windows prompts users to enter a PIN when required and then passes the PIN to the smart card CSP. If your site or smart card has more stringent security requirements, such as to disallow caching the PIN per-process or per-session, you can configure Citrix Receiver for Windows to instead use the CSP components to manage the PIN entry, including the prompt for a PIN.

Change how PIN entry is handled by using either of the following methods:

  • On the Citrix Receiver for Windows command line, specify the option AM_SMARTCARDPINENTRY=CSP.
  • Add the following key value to the registry key HKLM\Software\[Wow6432Node\]Citrix\AuthManager: SmartCardPINEntry=CSP.