Which Receiver Should I Use For Windows Smartcard Authentication?
Well, the answer that we all hate but which is probably the most correct one is that it depends, however if you are not satisfied with that answer please continue reading as I would like to explain a few things that can make a difference to your current choice. I should probably also state that information changes over time, and what I have written here was accurate up to a few weeks ago.
What most of you already know is that we have various receivers for the Windows platform. We have primarily something called Citrix Receiver (CitrixReceiver.exe) and we have something called Citrix Receiver Enterprise (CitrixReceiverEnterprise.exe), and then we have something called the Citrix Online plug-in (CitrixOnlinePluginFull.exe) –which is basically not a “receiver” in that sense. These three are the most important once you need to keep track on at this point of time -at least when it comes to smartcard integration.
If you have been very busy with daily operations and missed one or two things that has happened the last few months, this is a short summary.
- • Citrix Receiver is accurately named “Receiver for Windows 3.3”
- • Citrix Receiver Enterprise is accurately named “Receiver for Windows 3.3 (Legacy PNA)”
- • Citrix Online plug-in is called Citrix Online plug-in. The Online Plug-in is primarily terminology for older versions of what is now called Receiver. The Online Plug-in also came in two versions: Web and Full.
- o Online Plug-In “Full version”; is what is now CitrixReceiverEnterprise.exe (which is very important for Smartcard Pass-through scenarios);
- o Online Plug-In “Web version”; is what is now CitrixReceiver.exe (with the important addition of the Self-Service plug-in and supporting components such as the Receiver UI).
Unfortunately, Receiver for Windows (CitrixReceiver.exe) is the Receivers most customers would install for example from http://receiver.citrix.com/, however this Citrix Receiver doesn’t work fully for most smartcard scenarios and hence not recommended as far as I am concerned for full blown smartcard deployments.
What you preferably should be looking to use for smart card scenarios is the Citrix Receiver Enterprise, and for that you need to download the Receiver for Windows 3.3 (Legacy PNA), and nothing else. This Receiver provides full smartcard support similar to the Citrix Online Plug-In with PNAgent smartcard support.
You already installed a Receiver but you don’t know which?
So, how do we tell the two Receivers apart, because they do look the same don’t they?
Yes, you are right – it is hard to tell them apart for the “untrained eye”– this is different to the Citrix Online Plug-in 12.3, which is easily understood.
If you look at the ‘About’ tab, they both look something like this (Enterprise or not – it doesn’t matter).
Underneath the covers you may find a few plug-ins which could tell you which Receiver you are using, however if you are still unsure, have a look in the “Uninstall and change a program” component of Control Panel. I would say that this is the best place to look at if you are unsure.
So, which Citrix Receiver should I use then?
Well, there are a few more things you need to know.
The Citrix Receiver Enterprise (Legacy PNA) is an evolved version of the Online Plug-in Full version (CitrixOnlinePluginFull.exe). It provides functionality for managed computers and is the only Receiver to support Smart Cards, access to applications solely via the Start menu and Prelaunch.
- • Citrix Receiver for Windows does not support Prelaunch
- • Only Citrix Receiver Enterprise (Legacy PNA) supports Prelaunch
- • Only Citrix Receiver Enterprise (Legacy PNA) supports Smart Cards fully, of the two receivers.
The Online Plug-in for Windows 12.3 full client supports features that Receiver does not, namely:
- • Applications launched from Notification Area.
- • Local launch of Applications in a published desktop or server where Receiver.exe launches a new ICA session
- • Fast Connect Scripting API’s for tap and go healthcare applications. However, please note that Citrix Receiver Enterprise (Legacy PNA) 3.4 will support this as well, and I actually already got feedback from my user community that the Tech Preview works fine.
Common support between Citrix Receiver Enterprise and Online Plug-in 12.3 is the following:
- • Smartcard support
- • SSON on by default
- • Desktop icon creation
- • Administrator or user can specify a Base folder for apps in start menu or desktop
If you want to integrate smartcards into your Citrix deployment, I recommended using the Citrix Receiver Enterprise 3.3/3.4 or worst case the legacy Online Plug-in 12.3. If you also need pre-launch, the only option (right now) is to use the Citrix Receiver Enterprise.
In most cases, Citrix Receiver for Windows works perfectly well when authenticating towards NetScaler and a Web Interface Web Site, where the PIN Prompt will be shown. However it will require browser involvement, which a lot of customers don’t want to have, especially for LAN access.
Below is also a short summary collected from the field.
• If you want to enable cryptographic smart card authentication using CAC, PIV, Belgium ID, European Health Insurance Card (EHIC); SIPRNET, Finland national electronic identity cards (FINEID),Gemalto.net cards, or the like, you need to use the CitrixReceiverEnterprise.exe client on Intel based Windows end point as well as XenDesktops servers arranged for double hop.
• If you want to enable pass through authentication from Windows 7 end point and thin terminal you should use at the end of the year the CitrixReceiverEnterprise.exe 3.4 (Tech Preview out right now) – if you can wait.
• If you are deploying Tap and Go proximity cards you need to use the Online Plug-in 12.3 today, however at the end of the year you should use the Receiver for Windows 3.4 (Legacy PNA).
Citrix Online Plug-in Full version will reach end-of-life at some point (I would assume) and it will definitely not have many of the improvements that the newer Receiver Enterprise has, so use it only if you really need is my advice.
In short, the Citrix Receiver for Windows is not a good choice (today) if cryptographic smart card authentication is a requirement. What you should use is Receiver for Windows 3.4 (Legacy PNA) especially for Windows 7 pass-through authentication and Fast Connect. This statement has of course a best before date.
There are also a whole lot more to consider but my purpose is not to write a book here merely to provide some brief guidelines of what I personally use and know works well – when it comes to smart card integration with Windows 7 Desktops.
Q) So what about CitrixReceiverWeb.exe (receiver.citrix.com)
A) CitrixReceiverWeb.exe stops the FTU (First Time Use popup) from happening, other than that there are no differences between the CitrixReceiverWeb.exe and the CitrixReceiver.exe. As you may have noticed on the package itself.
Q) What is the FTU (First Time Use)
A) It is the pop-up that allows user to configure the Receiver for e-mail based discovery or adding a FQDN for a store.
Q) When will Citrix Storefront support smart card authentication
Q) Should I stop using the Citrix Receiver for Windows?
A) For most smart card scenarios I don’t recommend using the Citrix Receiver for Windows at this point of time, and it will not work that well either (in case you wonder), but for other scenarios – please go ahead and use it.
I would like to thank Christopher Curatolo, Citrix Escalation for brining this to my attention, James Gordon (Citrix Consulting) for always helping out and Andrew Innes for clarifying certain parts.