As a Sales Engineer on the Public Sector team, SmartCards (CAC & PIV) are a big part of my world.

I am asked quite often about the different types of SmartCard authentication options. So, I decided to write this blog so I can forward a link to it the next time I am asked.

There Are Several Ways to Configure SmartCard with Citrix Netscaler, StoreFront, and XenApp/XenDestkop.

SmartCard Authentication (2 PIN Prompts)

Both Netscaler and StoreFront are configured for SmartCard authentication. In addition, the Optimal Gateway Routing (using this blog).

The user experience is that they log into the initial Netscaler logon page and select their certificate and enter their PIN. After a successful PIN is entered, StoreFront enumerates the application list available to the user. The user selects the application and is then presented with the Winows GINA. At this point the user must enter their PIN one more time to gain access to the application or desktop.

*Without the Optimal Gateway Routing configuration, the user will have one additional PIN prompt when selecting the application from the list, but before the Windows GINA.

SmartCard Authentication – Kerberos Constrained Delegaion (KCD)

Both Netscaler and StoreFront are configured for SmartCard authentication. In addition, StoreFront is configured for KCD. Another requirement is to set delegation is Active Directory on the computer objects for StoreFront and all XenApp servers (using this article). KCD was used in Web Interface and XenApp 6.5. It was recently added to StoreFront 2.6. However, it only supports XenApp 6.5. XenApp 7.x is not supported for KCD with StoreFront 2.6.

The user experience is that they log into the initial Netscaler logon page and select their certificate and enter their PIN. After a successful PIN is entered, StoreFront enumerates the application list available to the user. The user selects the application and is not prompted for any additional PIN. The published application and\or desktop is displayed.

SmartCard Authentication – Two Factor Using Active Directory

Netscaler is configured for two factor authentication using both SmartCard and Active Directory Credentials. The StoreFront server is configured for Active Directory Credentials.

The user experience is that they log into the initial Netscaler logon page and select their certificate and enter their PIN. In addition, they will enter their Active Directory username and password. After successful PIN and Active Directory password, StoreFront enumerates the application list available to the user. The user selects the application and is not prompted for any additional PIN or Active Directory password. The published application and\or desktop is displayed.

*StoreFront never receives the SmartCard credentials. The SmartCard is only used for Netscaler logon. Netscaler sends Active Directory username and password to StoreFront.