Even if you only have a moderately sized VDI deployment chances are high you will face the problem of getting USB smart card readers to work on the virtual desktops. Given that this is such a basic requirement it is astonishingly hard to implement correctly. To save you the pain of having to start from scratch here is my description of how to do it.
on April 10, 2013, in
If you are using Windows-based Personally Owned Equipment (POE), you are responsible for purchasing and installing an ID badge/PIV reader (also known as a smart card reader). Note: Some laptops are equipped with an internal ID badge/PIV reader. However, those of use using any Mac / Apple products as our equipment face a challenge of the Govt Card Readers NOT being recognized on our Mac Devices, thus we (In My Govt Organization anyway) must utilize whats called 'MobilePass Tokens' which are obtained from an app downloaded from our App Store. These are used along with our normal Login. Jul 13, 2018 Before inserting your badge into the card reader. Cac reader for mac sierra. Mac Users: Insert your ID Badge/PIV card into the computer's badge reader. A 'Smartcard' ID Badge (also referred to as a PIV card) is an NIH-issued card that serves as Personal Identify Verification (PIV). If your NIH ID badge has a gold-colored chip in the middle of it, you. At this point you have a recognized USB card reader, your personal PIV certificates are visible to Mac OS X and the trust chain is complete. This should be all you need to access or login to PIV-enabled websites.
Basics
Smart card readers are USB devices, so the only thing you have to do is plug them into the thin or fat client sitting on your desk and Citrix XenDesktop auto-magically makes them appear in your virtual desktop, right? Wrong. We are going to get to that magic, but we have got a bit of configuring to do first. To auto-map smart card readers like the Reiner SCT or Omnikey devices into virtual desktops we need:
The following chapters elaborate on these points.
Allow USB Device Redirection
Configure a Citrix user policy to allow USB device redirection by setting ICA ->USB Devices ->Client USB device redirection to allowed.
Smart Card Redirection Rule in Citrix Policies
Add a redirection rule for smart cards to the Citrix policy setting ICA ->USB Devices ->Client USB device redirection rules:
Make sure there is no deny rule overriding it.
Smart Card Redirection Rule on the End User Device
Funnily, some people seem to think that smart card readers are typically used on the end user’s device, not the virtual desktop. While this just might be true for fat clients it is downright ridiculous for thin clients. When I connect a smart card reader to a thin client I most definitely want to use it in the remote session, not on the device itself.
However, the thinking that the endpoint comes first has led to the situation that the ICA client also has redirection rules. In contrast to the rules in the Citrix policy the endpoint’s rules are even preconfigured, and in such a way that redirection of smart card readers is disabled. Obviously, we need to get rid of this.
Thin Clients with Linux ICA Client (Citrix Receiver)
USB redirection rules are stored in the file usb.conf which is located in the directory /setup/ica on Fujitsu eLux thin clients. The default content of usb.conf includes the line:
Either delete that line or comment it out by putting a hash (#) in front of DENY.
Windows ICA Client (Citrix Receiver)
On a Windows machine USB redirection rules are stored in the registry value HKLMSoftwareCitrixICA ClientGenericUSBDeviceRules. The format of that multiline string is identical to the file usb.conf on Linux. As described above locate the entry that denies smart card redirection and either delete it or comment it out.
Enable USB Redirection Module (Linux Thin Clients)
Some Linux thin clients have a modular ICA client. Thus it is possible that the component for accessing XenApp and XenDesktop is installed, but the HDX Plug-n-Play module is missing. In case of eLux make sure to install HDX Plug-n-Play USB 2.0.
Optionally Remove Smart Card Hooks
If you have followed the steps above you have done everything that is required to get smart card readers working in your virtual desktops – theoretically. In practice it can happen that the readers do not work reliably. In that case Citrix’s smart card hooks may interfere with the redirection. This can be resolved by deleting the hooks. To do that delete the following registry keys on the virtual desktop:
Windows Smart Card Service
Make sure the Windows Smart Card service is started on the virtual desktops or all of the above will have no effect.
Tested Platforms and Devices
I have tested this configuration with Citrix XenDesktop 5.6. The virtual desktops were running Windows 7 x64 with the XenDesktop VDA 5.6.200. Smart card readers tested were Reiner SCT cyberJack e-com and Omnikey CardMan 3121.
More Information
CTX132716: Case Study: Preventing or Allowing Mapping of Specific USB Devices to Virtual Desktops
CTX129558: How to Redirect USB Devices in XenDesktop Piv Card Reader For Ipad
Virtual machines can connect to smart card readers that interface to serial ports, parallel ports, USB ports, PCMCIA slots, and PCI slots. A virtual machine considers a smart card reader to be a type of USB device.
A smart card is a plastic card that has an embedded computer chip. Many government agencies and large enterprises use smart cards to send secure communication, digitally sign documents, and authenticate users who access their computer networks. Users plug a smart card reader into their computer and insert their smart card in the reader. They are then prompted for their PIN to log in.
You can select a smart card reader from the Removable Devices menu in a virtual machine. A smart card can be shared between virtual machines, or between the host system and one or more virtual machines. Sharing is enabled by default.
Piv Card Reader Driver
When you plug a smart card reader into the host system, the reader appears as two separate USB devices in Workstation. This is because you can use smart cards in one of two mutually exclusive modes.
Piv Card Reader For Laptop
You can use smart cards with Windows operating systems and most Linux distributions. VMware provides full smart card support for Windows virtual machines running on Linux hosts. Using smart cards in Linux typically requires third-party software to effectively authenticate to a domain or enable secure communications.
Piv Card Reader For Android
Although smart cards should work with common Linux browsers, email applications, and directory services, these products have not been tested or certified by VMware.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |