Product Documentation

Configure smart cards

Mar 05, 2015

This provides an overview of how to prepare Citrix StoreFront, Citrix Desktop Lock, and Desktop Appliances to work with smart cards.

These instruction apply to the version of Desktop Lock included with Citrix Receiver for Windows Enterprise 3.4. To configure the version of Desktop Lock included with Citrix 4.2, see the instructions in Receiver Desktop Lock.

  1. Configure StoreFront. See Install and set up StoreFront for details.
    1. Configure the XML Service to use DNS Address Resolution for Kerberos support.
    2. Configure StoreFront sites for HTTPS access, create a server certificate signed by your domain certificate authority, and add HTTPS binding to the default website.
    3. Ensure Pass-through with smart card is enabled. This is enabled by default.
    4. Enable Kerberos.
    5. Enable Kerberos and Pass-through with smart card.
    6. Enable Anonymous access on the IIS Default Web Site and use Integrated Windows Authentication.
    7. Ensure the IIS Default Web Site does not require SSL and ignores client certificates.
    8. Enable XenApp Services support.
  2. Configure Local Computer Policies on the user device.
    1. Import the icaclient.adm template using the Group Policy Management Console. The template is available in %Program Files%\Citrix\ICA Client\Configuration\.
    2. Expand Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication.
    3. Enable Smart card authentication.
    4. Enable Local user name and password.
  3. Configure the user device before installing Desktop Lock.
    1. Add the URL for the Delivery Controller to the Windows Internet Explorer Trusted Sites list.
    2. Add the URL for the first desktop group to the Internet Explorer Trusted Sites list. Use the following format: desktop://desktop-20group-20name.
    3. Enable Internet Explorer to use automatic login for Trusted Sites.
  4. Configure the user device after installing Desktop Lock.
    1. Edit the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PNAgent\ServerURL to point to the PNAgent config.xml of the Delivery Controller.
      Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

If Citrix Desktop Lock is installed on the user device, a consistent smart card removal policy is enforced. For example, if the Windows smart card removal policy is set to Force logoff for the desktop, the user must log off from the user device as well, regardless of the Windows smart card removal policy set on it. This ensures that the user device is not left in an inconsistent state. This behavior applies only to user devices with the Desktop Lock, not the Desktop Viewer.