Product Documentation

Using Smart Cards with XenApp

May 08, 2015

You can use smart cards in your XenApp environment. Smart cards are small plastic cards with embedded computer chips.

In a XenApp environment, smart cards can be used to:
  • Authenticate users to networks and computers
  • Secure channel communications over a network
  • Use digital signatures for signing content

If you are using smart cards for secure network authentication, your users can authenticate to applications and content published on servers. In addition, smart card functionality within these published applications is also supported.

For example, a published Microsoft Outlook application can be configured to require that users insert a smart card into a smart card reader attached to the client device to log on to the server. After users are authenticated to the application, they can digitally sign email using certificates stored on their smart cards.

Citrix has tested smart cards that meet Standard 7816 of the International Organization for Standardization (ISO) for cards with electrical contacts (known as a contact card) that interface with a computer system through a smart card reader device. The reader can be connected to the host computer by the serial, USB, or PCMCIA port.
Note: Attach the smart card reader before launching the ICA session. When the reader is attached after the ICA session is launched, users must disconnect and relaunch the ICA session to use the smart card inside the session. Refer to CTX132230 for details.

Citrix supports the use of PC/SC-based cryptographic smart cards. These cards include support for cryptographic operations such as digital signatures and encryption. Cryptographic cards are designed to allow secure storage of private keys such as those used in Public Key Infrastructure (PKI) security systems. These cards perform the actual cryptographic functions on the smart card itself, meaning the private key and digital certificates never leave the card.

In addition, Citrix supports two-factor authentication for increased security. Instead of merely presenting the smart card (one factor) to conduct a transaction, a user-defined PIN (a second factor), known only to the user, is employed to prove that the cardholder is the rightful owner of the smart card.
Note: XenApp does not support the RSA Security Inc. PKCS (Public-Key Cryptography Standard) #11 functional specification for personal cryptographic tokens.

You can also use smart cards with the Web Interface for XenApp. For details, see the Web Interface administrator documentation.

Smart Card Requirements

Before using smart cards with XenApp, consult your smart card vendor or integrator to determine detailed configuration requirements for your specific implementation.

The following components are required on the server:
  • PC/SC software
  • Cryptographic Service Provider (CSP) software
These components are required on the device running the supported Citrix plug-in:
  • PC/SC software
  • Smart card reader software drivers
  • Smart card reader

Your Windows server and client operating systems may come with PC/SC, CSP, or smart card reader drivers already present. See your smart card vendor for information about whether these software components are supported or must be replaced with vendor-specific software.

You do not need to attach the smart card reader to your server during CSP software installation if you can install the smart card reader driver portion separately from the CSP portion.

If you are using pass-through authentication to pass credentials from your client device to the smart card server session, CSP software must be present on the client device.

Configuring XenApp for Smart Cards

A complete and secure smart card solution can be complex and Citrix recommends that you consult your smart card vendor or integrator for details. Configuration of smart card implementations and configuration of third-party security systems, such as certificate authorities, are beyond the scope of this documentation.

Smart cards are supported for authenticating users to published applications or for use within published applications that offer smart card functionality. Only the former is enabled by default upon installation of XenApp.

The following XenApp clients and plug-ins support smart cards:
  • Citrix online plug-in
  • Client for Linux
  • Client for Windows-based terminals
  • Client for MacIntosh

To configure smart card support for users of these plug-ins and clients, see the plug-in or client documentation.