Product Documentation

Requirements for smart card authentication

Oct 29, 2015

Receiver for Mac supports smart card authentication in the following configurations:

  • Smart card authentication to Receiver for Web/ StoreFront 2.x and XenDesktop 5.6 and above or XenApp 6.5 and above using browser based access.
  • Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office, allow users to digitally sign or encrypt documents available in virtual desktop or application sessions.
  • With multiple certificates—Receiver for Mac supports using multiple certificates with a single smart card or with multiple smart cards. When your user inserts a smart card into a card reader, the certificates are available to all applications running on the device, including Citrix Receiver.
  • In double-hop sessions—if a double-hop is required, a further connection is established between Receiver and your user's virtual desktop.

    Deployments supporting double-hops are described in the XenApp and XenDesktop documentation. For more information, see: Smart card deployments.

Note: Smart card authentication to NetScaler Gateway with StoreFront 2.x to XenDesktop 5.6 and above or to XenApp 6.5 and above is not currently supported with Receiver for Mac.

Supported readers, middleware, and smart card profiles

Receiver for Mac supports most Mac OS X compatible smart card readers and cryptographic middleware. Citrix has validated operation with the following.

Supported readers:

  • Common USB connect smart card readers

Supported middleware:

  • Clariify
  • Activeidentity client version
  • Charismathics client version

Supported smart cards:

  • PIV cards
  • Common Access Card (CAC)

Follow the instructions provided by your vendor’s Mac OS X compatible smart card reader and cryptographic middleware for configuring user devices.


  • Certificates must be stored on a smart card, not the user device.
  • Receiver for Mac does not save the user certificate choice.
  • Receiver for Mac does not store or save the user’s Smart Card PIN. PIN acquisitions is handled by the OS, which may have its own caching mechanism.
  • Receiver for Mac does not reconnect sessions when a smart card is inserted.
  • To use VPN tunnels with smart card authentication, users must install the NetScaler Gateway Plug-in and log on through a web page, using their smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the NetScaler Gateway Plug-in is not available for smart card users.