Smart Card – Support Updates

Smart Card Plug-n-Play

Smart Card Reader Plug-and-Play is supported by CWA for Windows and the VDA on Win10, 2K16 and 2K19. However, Smart Card Reader Plug-and-Play is not supported by CWA for Linux, macOS, HTML5, iOS and Android.

Citrix Workspace app for non-Windows platforms support Smart Card insertion and removal before or after an ICA session is established. However, insertion or removal of Smart Card Reader is not supported after an ICA session is established.

Consider the following scenarios for non-Windows platforms:

Scenario 1: Users log on to their local machine -> Plug in the Smart Card Reader -> Insert the Smart Card -> Start ICA session

In this scenario:
  • The user will be able to use the Smart Card inside the session
  • If Smart Card is re-inserted, it will be available for use inside the session

Scenario 2: Users log on to their local machine -> Start ICA session -> Plug in the Smart Card Reader -> Insert the Smart Card

In this scenario:
  • The Smart Card will not be available for use inside the ICA session
  • removing or re-inserting of Smart Card will not have any effect on the ICA session

Scenario 3: Users log on to their local machine -> Start ICA session -> Plug in the Smart Card Reader -> Insert the Smart Card -> Disconnect the ICA session -> Re-launch the ICA Session

The user will be able to use the Smart Card inside the session.
  • If the user removes the Smart Card, session will be disconnected, locked, or the user will be logged off depending on the policy
  • If Smart Card is re-inserted, it will be again available for use inside the session

If Smart Card Reader is attached after the ICA session is launched, then the user must disconnect the ICA session and re-launch it to make the Smart Card useable inside the ICA session. This is also true for USB Smart Card Tokens (Smart card available in the form of USB Key). USB Token behaves as a Smart Card Reader plus a Smart Card itself. Therefore, removing of USB Smart Card Token should disconnect, lock, or log off the ICA session (based on policy).

However, re-inserting it during the session will not work and the user must ensure that USB Smart Card Token is inserted before launching the ICA Session or they must disconnect the session and reconnect again.

Smart Card Passthrough

Smart Card Passthrough is now supported as per https://support.citrix.com/article/CTX131223

Smart Card and Generic USB Redirection

Generic USB Redirection is a feature that allows redirection of arbitrary USB devices from client machines to Desktops and Server VDAs. With this feature, the end users have the ability to interact with a wide selection of generic USB devices in their ICA session as if it had been physical plugged into it.

Using this method redirects USB devices at low level USB interfaces. Citrix Virtual Apps and Desktops provide optimized redirection methods, via specialized virtual channels, for specific USB devices. Some advanced functions, such as those required by the Smart Card APIs, are provided by these dedicated virtual channels.

As a result, redirection of Smart Cards or Smart Card readers over the Generic USB Redirection method is not supported for Server VDA or XenApp 6.5. However, in Desktop VDA this may work by disabling Smart Card hook and allowing Smart Card through USB policy.

Redirection using the Smart Card Virtual channel is the supported method for connecting and using Smart Cards in a Citrix Virtual Apps & Desktops environment.

Double-Hop or Nested Smart Card Login in Combination with RDP

Running an RDP session inside an ICA session (ICA -> RDP) or an ICA session inside a RDP session (RDP -> ICA) by using Smart Card credentials is not supported on Citrix Virtual Apps & Desktops. This scenario is not tested.

Use of smart card in double hop is supported only when both hops are via ICA protocol using smart card virtual channel and therefore excluding Generic USB redirection for smart card reader devices.

Smart Card and multiple Active Directory forest considerations

In a Citrix environment, smart cards are supported within a single forest. Smart card logons across forests require a direct two-way forest trust to all user accounts. More complex multi-forest deployments involving smart cards (that is, where trusts are only one-way or of different types) are not supported.

This applies to both XenApp 6.5 and CVAD 7.x.

Related:

  • No Related Posts

Leave a Reply