At the U.S. Department of Defense, Smart Cards are mandatory for many networks. The security they provide as a layer of “Defense In Depth” cannot be overstated. In concept, they are meant to replace usernames and passwords. In reality, they are a complex mechanism that can sometimes cause everyone a headache or two.
I have recently run a scenario that seems obscure, but is probably a lot more common than is reported. This is especially true in the U.S. Federal space where PIV cards are becoming more prevalent in light of the OPM breach, as well as in the DoD space where CAC is going from mandatory on unclassified systems to mandatory to every application.
The problem presents itself when the following are true:
- The user is using a XenApp published Internet Explorer 8 or higher or the user is on a virtual desktop with IE 8 or higher
- Internet Explorer is set to use Enhanced Protected Mode (EPM)
- The user tries to access a website that prompts for the Smart Card credentials, but after presenting a certificate, Internet Explorer reports “Internet Explorer cannot display the webpage”. The user is not prompted for their PIN often times.
- The same page works fine and authentication succeeds if EPM is turned off.
The good news is that the solution is relatively easy to implement, as long as you have administrative privilege on the XenApp or XenDesktop farm.
If you’re on XenDesktop/XenApp 7.x, you just need these registry entries depending on whether you’re X64 or X86.
<em>On 32-bit Windows:</em> HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartCard Name: SupLowIntegrityProc Type: REG_DWORD Data: 1 <em>On 64-bit Windows:</em> HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\SmartCard Name: SupLowIntegrityProc Type: REG_DWORD Data: 1
If you’re on XenApp 6.5, you need to be on HotFix Rollup Pack 2 or higher. You should really consider being on HFRP 6 as it contains quite a lot of good features and stability enhancements. If you’re on XenDesktop 5.6, you are out of support and need to upgrade right away. What you really need to do is make sure that you’re on VDA 5.6.200 or higher, and preferably 5.6.500 for X86 or 5.6.500 for X64. In these cases, once you get up to the correct versions, you still should apply the registry settings above.
These fixes will help you ensure that you can run IE in Protected Mode, and not have to change your security posture for a site due to compatibility. This also saves your users from putting sites into Trusted or Intranet Zones and turning off EPM for those zones.
This just one tip on Smart Card configurations that we see in the Federal government. For even more comprehensive guidance, you should see what Joe Nord put together in his blog about PIV and configuration guidance. If you have other stories about things that you tweaked with Smart Cards, please leave a reply. We hope to gather all of these tips into a common guide someday.