Earlier this year I had the following conversation:
Customer: Henry, how can we get rid of the pin prompts when logging into the virtual desktop?
Me: We would need to configure Receiver for pass-through and…
Customer (interrupting): Yes, that is what I want. That is it!!!
Me: Well, there are some caveats…
You see, I knew that we could configure Pass-through but the question was how meet this request with a common access card involved (CAC – Government lingo for SmartCard in the Dept. of Defense) and a locked down Windows 7 image. That is where the journey began. Please keep in mind that the above mentioned conversation happened while I was on-site with the customer doing a NetScaler Gateway proof of concept and considering that I had enough time while on site, I accepted the challenge.
So at the time, there was no clear cut support article that explained how to do this with StoreFront 2.5 and the latest version of Receiver. There were a couple blogs and older Citrix support articles out there the helped but I had to piece of couple of concepts together to get it to work. Since then, someone in tech support created CTX support article on how to do it. (Whew!!! This post would have been three times as long and boring!). You can find the article here.
Now for the Public Sector Edition aspect: in order for CAC/SmartCard to work, you have to check ‘SmartCard’ through out the steps, which should be apparent as you go through them.
However in step 6, you also have to enable “Local User Name and Password.” I’m not sure if this by design, but the SSONSRV.exe process does not start. The SSONSRV process is required in order for Pass-through to work. Without it, you are not going anywhere. This is the first thing to check on the windows end point. On the virtual desktop side, the virtual desktop has to have the middle-ware software. I think folks who support SmartCards these days know this already, but I wanted to make it clear.
Also, there cannot be anything delaying or stopping the process like a welcome banner where the user has to click ‘OK’ to accept or a Group Policy enforcing CTRL+ALT+DEL. The primary reason is there are built-in timeouts for security reasons. These are the caveats and in no way am I suggesting to go against IT policies here. In some cases, especially in the Federal Government, changes to the gold master might require an exception or someone assuming the risk. I know in this particular customer’s environment, the banner page was placed on the StoreFront page instead (Here is how to do so.) and the customer filled out the paper work for the exceptions on modifying the gold master image for their organization.
So…in the end, the customer was able to get what they wanted. A domain-joined Windows 7 end point logging on to virtual applications and virtual desktops provided by XenDesktop 7.5 (BTW, 7.6 is now available!) without pin prompts. Well, one pin prompt. The one required to log on to the endpoint. At the end of the day, customer was happy with the NetScaler Gateway POC and one pin prompt.