Updated: 2013-07-12

There have always been rumours (if you didn’t know) that PIN pass-through was not possible when using a Vista/Windows 7 operating system rather than Windows XP. The difference is more thoroughly explained in the provided Citrix article (reference section), hence I am not going to deep dive into this part. But what I want to highlight is that it is actually possible to get a Windows 7 PIN pass-through and provide the how-to.
Please note! This post covers only the end-point part of the configuration.

Setup and Access methods:
On the End-Point we have CSP software, Smartcard Reader, Smartcard with certificate and that you logon with the smartcard on the end-point device (and yes, this example is based upon a domain attached end-point in case you wonder).
The configuration was tested with the Citrix Online Plug-in 12.3 (Legacy Client) installed on the end-point, and the access was made towards a few various XenApp versions, 4.5, 5.0, 6.5.
The authentication occurred on the Netscaler, but also directly towards a smartcard configured Web Interface.
I should probably mention that it doesn’t mean that you need the Citrix Online Plug-in 12.3, it just happens to be the client I generally use for most of my Swedish smartcard customers.

There are various ways to achieve smartcard PIN pass-through; one is to use a third party CSP software that can leverage certain API’s (which was originally based on the Online Plug-in 12.1.063 for Windows with Fast Connect Support); the second method is by using the below procedure. Please be aware that the following blog post will just explain the end-point side of things to achieve smartcard pass-through, with our without Netscaler/AGEE involved.

Setup: To configure the end-client computer running on Vista/Windows 7, complete the following procedure:

1. For pass-through smart Card authentication, add the XenApp/XenDesktop Web Site or Services site as a “Local intranet” site in the local web browser as shown in Figure 1 below;

Figure 1
Figure 1
    o This doesn’t necessarily mean that it will be sufficient to achieve pass-through. It is important that the “automatic logon only in Intranet zone” is checked (refer to the Figure 2 below).
    And by adding the WI Site URL, the local web browser will use Integrated Windows Authentication (IWA) – or as I prefer to call it Windows Integrated authentication.
    By default it will try to use the credentials you are currently logged in with to present your “icons” for the application set that you are authorised to run (Kerberos/NTLM).
Figure 2
Figure 2
    o Another way to trick IE (for test purposes) is to type in the local host name for the Web Interface site in the URL field, instead of a FQDN. A FQDN is treated (last time I checked) as an “external/internet” name, whilst a localhost name is treated as an internal name.

2. You also need to ensure that the following components are installed on the end-point:

    o Citrix Online Plug-in 12.3. It also work with Receiver for Windows 3.4 (Legacy PNA), also called Receiver Enterprise.
    o The icaclient.adm template configured in Active Director or the Local Client with the following options, as shown in the following screenshot.
    It is found on the end-point under C:\Program Files\Citrix\ICA Client\Configuration and is part of the ICA Client installation.
Figure 3
Figure 3
    o Ensure to configure:
    • Allow Smart card authentication
    • Use pass-through authentication for PIN

3. As discussed earlier, Smart card PIN pass-through does not work by default in Windows Vista or Windows 7. The reason for this is that by default, NPLogonNotify is not called from a smart card logon in Windows Vista or Windows 7. For the Citrix client to pass a PIN with the smart card, the SSONSVR process must be running. SSONSVR is called from NPLogonNotify. Please note that Receiver for Windows 3.4 (Legacy PNA) creates this registry key during installation (by default).
So in addition to everything configured above, you now would also need to configure a registry key on the end-point or use a third party CSP (with the similar functionality) to achieve pass-through:

    1. In the Registry Editor, under
    HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
    create a DWORD value named SmartCardLogonNotify.
Figure 4
Figure 4
    2. Change the DWORD value to 1.
    3. Restart the computer and log on with a smart card.
    4. Ensure that the SSONSVR process is running (Task Manager – Processes)

Figure 5
Figure 5


Now you should have a working PIN pass-through environment. Well, at least from the end-point side of things.
References:
CTX131223 Enabling Smart Card PIN Pass-Through on Windows Vista or Windows 7 Citrix Session

Credits:
I would also like to grab the opportunity and thank James Gordon for his assistance in validating a few things. And the Citrix people involved in creating the CTX131223 article.