I highlighted, in an earlier blog post, the changes that went into Citrix Ready Marketplace to help you choose the right Thin Client for your business.
This post is a deep dive into the test to see which smart card is best for your HDX Premium-level Thin Client. We’ll cover:
- Availability of a detailed Smart card deployment guide for easier testing
- Various choices of Smart Cards available
- Typical smart card testing criteria
A Detailed Smart Card Deployment Guide
Inside the test kit bundle now resides a detailed smart card deployment guide on the NIST PIV smart card standard! This implies step by step guidance towards:
- Obtaining a Smart card and required hardware
- Setting up a Windows Domain
- Configuring the Smart card such as setting up Certificate Authorities and issuing Smartcards to users etc.
- Enabling the Smart card on Windows
- Configuring Microsoft Internet Information Services (IIS) for HTTPS hence Citrix StoreFront,
- Configuring the XenDesktop Desktop Delivery Controller (DDC)
- Configuring Windows, Mac and Linux HDX Receivers
All of this in one place! At Citrix, we believe this will better guide our partners who certify their new Thin Client models, as well as the wider community, to successfully authenticate to StoreFront with a smartcard and use HDX within a session. You can download the complete Thin Client Test kit from here under Citrix XenDesktop section.
Smart Card Test Device Selection
Smart card driver software for PIV cards is supplied by the Operating System vendors. For the purposes of the documentation, the Yubikey Neo smart card is used and its software is open source, and available for free download from their website. Yubikey Neo is an all-in-one USB CCID PIV device that can easily be purchased from Amazon or other retail vendors and doesn’t compete with Enterprise smartcard vendor partners.
Note that some organizations may require more advanced smart card driver software that can be installed according to the smart card driver vendor’s documentation. Our smart cards and middleware partners include Gemalto, Charismathics, Feitan, and others.
It is acceptable to pick any smart card vendor you wish. However, the details of the process vary according to that vendor’s documentation.
Smart Card Testing Criteria
From Citrix Ready perspective, a HDX Premium Ready thin client is expected to support PIV out-of-the-box. This implies Endpoint being able to
- Authenticate with a standard PIV device to Storefront (website smartcard authentication), prompted for PIN
- Authenticate XenApp or XenDesktop VDA with a smartcard (HDX smartcard remoting), possibly prompted for PIN
However, for more formal NIST PIV smartcard test procedures, it’s recommended that partners and community purchase the suite available on NIST’s website:
Going forward, we will be validating our new HDX Premium Ready clients using the Citrix Ready criteria and also accept test results of above formal test suites. We hope this guidance improves the overall testing experience while validating thin clients with smart cards. Stay with us for more updates to come.