The majority of Federal customers have already moved or are planning a move towards a Smartcard based authentication as their primary authentication method for domain network access. Several customers ask about whether their CAC or PIV card will work for authentication with Citrix products (Yes, they do!), and if so how?
Although, the majority of this information already exists on our support KB site, this blog entry serves as a one-stop shop for resources that are the most useful for Federal Customers. We are also working on a fully integrated step by step Smartcard integration guide targeted specifically for Federal customers.
Environment Assumptions for SmartCard Authentication
- The Active Directory Domain must be pre-configured for PKI-based Authentication.
- Active Directory accounts must be created that map to the UPN credential on the Smartcard.
- The latest middleware client must be installed on the VDA image or XenApp server (ActiveIdentity, Gemalto, etc).
- The middleware client must also be installed on the endpoint device.
- Web Interface, XenApp and XenDesktop components must all be members of the PKI-configured AD domain.
- For best results, utilize the latest version of Web Interface (v5.4.x)
Smartcard Authentication to XenApp/XenDesktop
This scenario is used by most customers deploying XenApp or XenDesktop internally on a secure network.
All of the post-XA configuration steps can be used even in a XenDesktop environment. The key point in this article from a XA configuration standpoint is the “Trust requests sent to XML service.” To configure this required setting in a XenDesktop environment please see details in this article: CTX132461.
This article outlines two Smartcard authentication methods available in Web Interface:
- Smartcard. Users are prompted once for certificate selection (by Web Interface) and twice for PIN (once by WI, once by Windows GINA).
- Smartcard with Pass-Through. Local user credentials are “passed-through” from the endpoint device to the WI site. Users are not prompted by the WI for credentials, users are only prompted for a PIN by the Windows GINA. The endpoint needs to be a member of the same domain as Web Interface for this to work.
Smartcard “Pass-thru” authentication from Win7/Vista endpoint
For scenarios that quality for pass-thru (see above) from a Vista or Win7 endpoint (physical or virtual) for access to XenApp or XenDesktop
Smartcard “Pass-thru” authentication from AGEE/NetScaler
This scenario is used by customers deploying XenApp or XenDesktop to external users on a non-secure network (internet), or to users that require SSL encryption of ICA/HDX traffic.
- Passes CAC/PIN selection from AGEE Logon point to Web Interface.
- Works with XenApp 4.5+ and XenDesktop 5.0+.
- User is prompted for cert selection once (at AGEE) and pin twice (once at AGEE, second at Windows GINA screen).
- Can be easily added to existing XenApp/XenDesktop environments.
Single Sign-On (with Kerberos) from AGEE/NetScaler
This scenario is used by customers deploying a new XenApp environment to external users on a non-secure network (internet), or to users that require SSL encryption of ICA/HDX traffic.
- Combines true Single Sign-on with Kerberos-based authentication for a quick optimized logon to a XenApp Farm with a Smartcard credential.
- XenApp 4.5 and higher only. Not available for XenDesktop (Kerberos Auth is not currently supported for XenDesktop).
- User is prompted once for certificate and pin by Access Gateway.
- Kerberos authentication setup required on XenApp farm and Active Directory. (can be difficult to add to existing farms)
This is only three of our most popular deployment methods with SmartCards. There are several other methods and configurations; feel free to use this blog post as a forum for unique Smartcard configurations, comments, and feedback.