Created: 2012-11-04
Updated: 2012-11-06
Background:
During one of my engagements we encountered some strange behavior in the smart card logon cycle. Basically when launching an application hosted on a XenApp (4.0/4.5/6.0/6.5) server from a Dell Latitude E6320 with a build in USIM reader, you will get a driver error notification.

The message itself mainly causes functional issues on Windows 2003 servers, but is visible on all operating systems. In reality it causes issues when connecting a newer laptop to a 9 year old operating system, so why am I surprised in the first place?

As far as I know (from earlier experience) is that Windows picks the smart card readers in alphabetic order (in case you have many) but this just didn’t make sense. As the correct reader to be used is named “Broadcom..” and the USIM reader is named “Dell…” it was just puzzling.

Windows 2003 Server Error

Windows 2008 Server Error

Workaround 1
There are a few known workarounds at this point of time, for example if we disable the device the error messages disappear.


Workaround 2
An alternative workaround found is to keep the USIM device enabled but instead set a blank value under Groups (as specified below). It was also found that this change didn’t affect the USIM/3G card behaviour noticeably.
HKLM\SOFTWARE\Microsoft\Cryptography\Calais\Readers


  
Please note! that the registry workaround has not been confirmed to be supported and hence it is not a recommended approach at this point of time to be used.

And yes, we did try to find other workarounds but none of them was as effective as the two above.

Credits
I would also like to thank a few people for their assistance. So a big thank you to Kjell Perman (Tieto), Samir Hamouni (Tieto), Jens A (SecMaker) and last but not least Emil Tibblin (Swedish Public Sector). Emil is a guy that you probably will hear more from as he has (in one way or another) been involved in most of my Citrix smart card deployments over the years.