Product Documentation

To enable smart card usage

Nov 01, 2013

To enable smart card usage, you will need access to servers running the following associated with your Citrix XenDesktop installations:

  • The Active Directory domain controller for the user account that is associated with a login certificate on the smart card
  • Delivery Controller
  • Citrix StoreFront
  • Citrix NetScaler Gateway/Citrix Access Gateway 10.x
  • Virtual Delivery Agent
  • (Optional for remote access): Microsoft Exchange Server
Note: For Remote PC Access, smart cards are supported on physical computers running Windows 7 or Windows 8 only; smart cards are not supported for physical computers running Windows XP or Vista.
  1. Familiarize yourself with smart card technology and your specific smart card technology.
  2. Understand how to install and maintain certificates in distributed environments.
  3. Familiarize yourself with the operation and documentation of the following:
    1. Citrix StoreFront 2.0
    2. Citrix NetScaler Gateway/Citrix Access Gateway 10.x
      Note: This is required for most smart card deployments.
    3. Citrix Receiver for Windows 4.0 and 3.4
    4. Citrix XenDesktop SDK
  4. Enable XenDesktop for smart card use.
    1. Issue smart cards to the users according to your card issuance policy.
    2. (Optional) Set up smart card to enable users for Remote PC Access.
    3. Install and configure the Delivery Controller and StoreFront (if not already installed for smart card remoting).
  5. Enable StoreFront for smart card use. For details, see Configure smart card authentication
  6. Enable NetScaler Gateway/Access Gateway for smart card use. For details, see Configuring Authentication and Authorization and Configuring Smart Card Access with the Web Interface
  7. Enable the Virtual Delivery Agent (VDA) for smart card use. See Install using the graphical interface for details about installing and configuring the Virtual Delivery Agent.
    1. Ensure the Virtual Delivery Agent has the required applications and updates.
    2. Install the middleware.
    3. Set up smart card remoting, enabling the communication of smart card data between Receiver on a user device and a virtual desktop session.
  8. Enable user devices for smart card use. See Configure smart card authentication for details.

    Windows user devices

    These user devices include domain-joined or non-domain-joined computers.

    1. Import the certificate authority root certificate and the issuing certificate authority certificate into the device's keystore.
    2. Install your vendor's cryptographic middleware.
    3. Install and configure Receiver for Windows, being sure to import icaclient.adm using the Group Policy Management Console and enabling smart card authentication.
      • For thin clients and computers running Desktop Lock, install Receiver for Windows Enterprise 3.4.
      • For all other devices, install Receiver for Windows 4.0.
  9. Test your deployment.

    Ensure that your deployment is configured correctly by launching a virtual desktop with a test user's smart card. Test all possible access mechanisms (for example, accessing the desktop through Internet Explorer and Receiver).