Smart cards
Smart cards and equivalent technologies are supported within the guidelines described in this article. To use smart cards with Citrix Virtual Apps or Citrix Virtual Desktops:
- Understand your organization’s security policy concerning the use of smart cards. These policies might, for example, state how smart cards are issued and how users must safeguard them. Some aspects of these policies might need to be reassessed in a Citrix Virtual Apps or Citrix Virtual Desktops environment.
- Determine which user device types, operating systems, and published applications are to be used with smart cards.
- Familiarize yourself with smart card technology and your selected smart card vendor hardware and software.
- Know how to deploy digital certificates in a distributed environment.
Note:
Smart card enrollment is not supported with fast smart card. Smart card enrollment might work when fast smart card is disabled, but depends on the type of smart card and middleware. Contact your smart card and middleware vendor for information on their integration with Citrix Virtual Apps and Desktops and support for smart card enrollment over virtual sessions.
Types of smart cards
Enterprise and consumer smart cards have the same dimensions, electrical connectors, and fit the same smart card readers.
Smart cards for enterprise use contain digital certificates. These smart cards support Windows Logon, and can also be used with applications for digital signing and encryption of documents and email. Citrix Virtual Apps and Desktops support these uses.
Smart cards for consumer use do not contain digital certificates; they contain a shared secret. These smart cards can support payments (such as a chip-and-signature or chip-and-PIN credit card). They do not support Windows Logon or typical Windows applications. Specialized Windows applications and a suitable software infrastructure (including, for example, a connection to a payment card network) are needed for use with these smart cards. Contact your Citrix representative for information on supporting these specialized applications on Citrix Virtual Apps or Citrix Virtual Desktops.
For enterprise smart cards, there are compatible equivalents that can be used in a similar way.
- A smart card-equivalent USB token connects directly to a USB port. These USB tokens are usually the size of a USB flash drive, but can be as small as a SIM card used in a mobile phone. They appear as the combination of a smart card plus a USB smart card reader.
- A virtual smart card using a Windows Trusted Platform Module (TPM) appears as a smart card. These virtual smart cards are supported for Windows 8 and Windows 10, using Citrix Workspace app (minimum version Citrix Receiver 4.3).
- Versions of Citrix Virtual Apps and Desktops (formerly XenApp and XenDesktop) earlier than XenApp and XenDesktop 7.6 FP3 do not support virtual smart cards.
- For more information on virtual smart cards, see Virtual Smart Card Overview.
Note: The term “virtual smart card” is also used to describe a digital certificate stored on the user computer. These digital certificates are not strictly equivalent to smart cards.
Citrix Virtual Apps and Desktops smart card support is based on the Microsoft Personal Computer/Smart Card (PC/SC) standard specifications. A minimum requirement is that smart cards and smart card devices must be supported by the underlying Windows operating system and must be approved by the Microsoft Windows Hardware Quality Labs (WHQL) to be used on computers running qualifying Windows operating systems. See the Microsoft documentation for additional information about hardware PC/SC compliance. Other types of user devices might comply with the PS/SC standard. For more information, refer to the Citrix Ready program.
Usually, a separate device driver is needed for each vendor’s smart card or equivalent. However, if smart cards conform to a standard such as the NIST Personal Identity Verification (PIV) standard, it might be possible to use a single device driver for a range of smart cards. The device driver must be installed on both the user device and the Virtual Delivery Agent (VDA). The device driver is often supplied as part of a smart card middleware package available from a Citrix partner; the smart card middleware package offers advanced features. The device driver might also be described as a Cryptographic Service Provider (CSP), Key Storage Provider (KSP), or minidriver.
The following smart card and middleware combinations for Windows systems have been tested by Citrix as representative examples of their type. However, other smart cards and middleware can also be used. For more information about Citrix-compatible smart cards and middleware, see http://www.citrix.com/ready.
Middleware | Matching cards |
---|---|
Gemalto Mini Driver for .NET card | Gemalto .NET v2+ |
For information about smart card usage with other types of devices, see the Citrix Workspace app documentation for that device.
Remote PC Access
Smart cards are supported only for remote access to physical office PCs running Windows 10, Windows 8 or Windows 7.
The following smart cards were tested with Remote PC Access:
Middleware | Matching cards |
---|---|
Gemalto .NET minidriver | Gemalto .NET v2+ |
Fast smart card
Fast smart card is an improvement over the existing HDX PC/SC-based smart card redirection. It improves performance when smart cards are used in high-latency WAN situations. When latency is high, the performance improvement can be significant (for example, 15 seconds for a Windows fast smart card logon versus more than 1 minute with the PC/SC-based smart card redirection).
Fast smart card is enabled by default on host machines with currently supported Windows VDAs. To disable Fast Smart Card on the host-side—for example for diagnostic purposes—set the ‘Disable Cryptographic Redirection’ registry setting to any non-zero value:
HKLM\SOFTWARE\Citrix\SmartCard
CryptographicRedirectionDisable (DWORD)
<!--NeedCopy-->
On the client side, to enable fast smart card, include the SmartCardCryptographicRedirection ICA parameter in the default.ica file of the associated StoreFront site:
[WFClient]
SmartCardCryptographicRedirection=On
In addition, on the client side, fast smart card can be force enabled or force disabled (for example, for diagnostic purposes) with the following registry settings:
- HKLM\SOFTWARE[\WOW6432Node]\Citrix\ICA Client\SmartCard\ForceEnableCryptographicRedirection (as a non-zero DWORD)
Or
- HKLM\SOFTWARE[\WOW6432Node]\Citrix\ICA Client\SmartCard\ForceDisableCryptographicRedirection (as a non-zero DWORD)
The 32-bit registry hive must be specified (using WOW6432Node
) if the client machine is 64-bit.
Limitations:
- Only Citrix Workspace app for Windows supports fast smart card. If you configure fast smart cards in the default.ica file, Citrix Workspace apps that are not for Windows still use existing PC/SC Redirection.
- The only double-hop scenarios that fast smart card supports are ICA > ICA with fast smart card enabled on both hops. Because fast smart card doesn’t support ICA > RDP double-hop scenarios, those scenarios don’t work.
- Fast smart card doesn’t support Cryptography Next Generation. Thus, fast smart card doesn’t support Elliptic Curve Cryptography (ECC) smart cards.
- Fast smart card supports only read-only key container operations.
- Fast smart card doesn’t support changing the smart card PIN.
Starting with VDA version 2203 and Citrix Workspace app version 2202 for Windows (or later) fast smart card is compatible with Cryptography Next Generation (CNG). In addition, Elliptic Curve Cryptography (ECC) smart cards are supported with the following curves: P-256, P-384, P-521 bits, for both ECDSA and ECDH.
Starting with VDA version 2203, fast smart card adds the ability to cache the smart card PIN between the applications from the same user’s logon session. For example, if Session PIN Caching is enabled and the end user has previously provided their smart card PIN to Outlook, when Word is then used to sign a document, Word uses the already cached smart card PIN (submitted to Outlook). Session PIN Caching helps the user experience by reducing the number of times the user has to enter their smart card PIN. In addition, if the smart card is used to log on to the VDA, the Windows smart card logon PIN can optionally be saved to the Session PIN Cache. This can further improve the user experience.
Session PIN Caching is disabled by default. It can be enabled and controlled with the following registry settings on the VDA:
In HKLM\SOFTWARE\Citrix\SmartCard:
-
EnablePinSessionCache
as a DWORD (non-zero to enable) -
EnableLogonPinSessionCache
as a DWORD (non-zero to enable) -
PinSessionCacheEntryStaleTimeout
as a DWORD (number of seconds before an entry becomes stale, default is 1 hour)
Types of smart card readers
A smart card reader might be built in to the user device, or be separately attached to the user device (usually via USB or Bluetooth). Contact card readers that comply with the USB Chip/Smart Card Interface Devices (CCID) specification are supported. They contain a slot or swipe into which the user inserts the smart card. The Deutsche Kreditwirtschaft (DK) standard defines four classes of contact card readers.
- Class 1 smart card readers are the most common, and usually contain a slot. Class 1 smart card readers are supported, usually with a standard CCID device driver supplied with the operating system.
- Class 2 smart card readers also contain a secure keypad that cannot be accessed by the user device. Class 2 smart card readers might be built into a keyboard with an integrated secure keypad. For class 2 smart card readers, contact your Citrix representative; a reader-specific device driver might be required to enable the secure keypad capability.
- Class 3 smart card readers also contain a secure display. Class 3 smart card readers are not supported.
- Class 4 smart card readers also contain a secure transaction module. Class 4 smart card readers are not supported.
Note:
The smart card reader class is unrelated to the USB device class.
Smart card readers must be installed with a corresponding device driver on the user device.
For information about supported smart card readers, see the documentation for the Citrix Workspace app you are using. In the Citrix Workspace app documentation, supported versions are listed in a smart card article or in the system requirements article.
User experience
Smart card support is integrated into Citrix Virtual Apps and Desktops, using a specific ICA/HDX smart card virtual channel that is enabled by default.
Important: Do not use generic USB redirection for smart card readers. This is disabled by default for smart card readers, and is not supported if enabled.
Multiple smart cards and multiple readers can be used on the same user device, but if pass-through authentication is in use, only one smart card must be inserted when the user starts a virtual desktop or application. When a smart card is used within an application (for example, for digital signing or encryption functions), there might be other prompts to insert a smart card or enter a PIN. This can occur if more than one smart card has been inserted at the same time.
- If users are prompted to insert a smart card when the smart card is already in the reader, they must select Cancel.
- If users are prompted for the PIN, they must enter the PIN again.
You can reset PINs using a card management system or vendor utility.
Important:
Within a Citrix Virtual Apps or Citrix Virtual Desktops session, using a smart card with the Microsoft Remote Desktop Connection application is not supported. This is sometimes described as a “double hop” use.
Before deploying smart cards
- Obtain a device driver for the smart card reader and install it on the user device. Many smart card readers can use the CCID device driver supplied by Microsoft.
- Obtain a device driver and cryptographic service provider (CSP) software from your smart card vendor, and install them on both user devices and virtual desktops. The driver and CSP software must be compatible with Citrix Virtual Apps and Desktops; check the vendor documentation for compatibility. For virtual desktops using smart cards that support and use the minidriver model, smart card minidrivers download automatically, but you can also obtain them from http://catalog.update.microsoft.com or from your vendor. Also, if PKCS#11 middleware is required, obtain it from the card vendor.
- Important: Citrix recommends that you install and test the drivers and CSP software on a physical computer before installing Citrix software.
- Add the Citrix Receiver for Web URL to the Trusted Sites list for users who use smart cards in Internet Explorer with Windows 10. In Windows 10, Internet Explorer does not run in protected mode by default for trusted sites.
- Ensure that your public key infrastructure (PKI) is configured appropriately. This includes ensuring that certificate-to-account mapping is correctly configured for Active Directory environment and that user certificate validation can be performed successfully.
- Ensure that your deployment meets the system requirements of the other Citrix components used with smart cards, including Citrix Workspace app and StoreFront.
- Ensure access to the following servers in your Site:
- The Active Directory domain controller for the user account that is associated with a logon certificate on the smart card
- Delivery Controller
- Citrix StoreFront
- Citrix Gateway/Citrix Access Gateway 10.x
- VDA
- (Optional for Remote PC Access): Microsoft Exchange Server
Enable smart card use
Step 1. Issue smart cards to users according to your card issuance policy.
Step 2. (Optional) Set up the smart cards to enable users for Remote PC Access.
Step 3. Install and configure the Delivery Controller and StoreFront (if not already installed) for smart card remoting.
Step 4. Enable StoreFront for smart card use. For details, see Configure smart card authentication in the StoreFront documentation.
Step 5. Enable Citrix Gateway/Access Gateway for smart card use. For details, see Configuring Authentication and Authorization and Configuring Smart Card Access with the Web Interface in the NetScaler documentation.
Step 6. Enable VDAs for smart card use.
- Ensure that the VDA has the required applications and updates.
- Install the middleware.
- Set up smart card remoting, enabling the communication of smart card data between Citrix Workspace app on a user device and a virtual desktop session.
Step 7. Enable user devices (including domain-joined or non-domain-joined machines) for smart card use. See Configure smart card authentication in the StoreFront documentation for details.
- Import the certificate authority root certificate and the issuing certificate authority certificate into the device’s keystore.
- Install your vendor’s smart card middleware.
- Install and configure Citrix Workspace app for Windows, being sure to import icaclient.adm using the Group Policy Management Console and enable smart card authentication.
Step 8. Test the deployment. Ensure that the deployment is configured correctly by launching a virtual desktop with a test user’s smart card. Test all possible access mechanisms (for example, accessing the desktop through Internet Explorer and Citrix Workspace app).
Track smart card reader insertion count
With smart card remoting, you can track the number of times a smart card has been inserted or removed from a reader using the SCardGetStatusChange function. The function updates an array of SCARD_READERSTATE data structures—one per each reader you monitor. The high word (16 bits) of the dwEventState field of each SCARD_READERSTATE contains the reader count. For more information, see the Microsoft articles SCardGetStatusChangeA function and SCARD_READERSTATEA structure.
The Reader Insert Count Reporting setting is disabled by default. To enable tracking, add the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard
Name: EnableReaderInsertCountReporting
Type: DWORD
Value: Any non-zero value
When the session disconnects, the count resets to zero.
Reader Insert Count Reporting is compatible with third-party smart card middleware.