Using Smart Cards with XenDesktop

Using Smart Cards with XenDesktop

Overview

XenDesktop users can use smart cards for:

• Authenticating to XenDesktop sessions

• Digitally signing or encrypting documents

• Authenticating to locally installed or virtualized applications

Virtual desktops must be running Microsoft Windows XP 32-bit with Service Pack 2 or later.

Smart Card Types and Readers Supported

The following are supported:

• Smart cards, including Common Access Card (CAC)

• USB smart card tokens

All the above must be Microsoft-compatible.

Only one reader per endpoint is supported, and, for roaming, all readers across endpoints must be identical.

You must obtain a device driver for the smart card reader and install it on the endpoint device. Many smart card readers comply with the Chip/Smart Card Interface Devices (CCID) standard and can use the CCID device driver supplied by Microsoft.

You must also obtain a device driver (a Cryptographic Service Provider in the case of Windows) for the smart card and install it on both the endpoint device and the virtual desktop. Citrix recommends that you:

• Install drivers and CSPs on the virtual desktop before installing any Citrix software on it

• Install and test the drivers on a physical computer before installing Citrix software

After the Virtual Desktop Agent has been installed on a computer, you can no longer use locally connected smart cards for any purpose, including logon.

Smart card support also involves components available from Citrix partners. These will be updated independently by the partners, and are not described in this document. Refer to the Citrix Ready program at http://www.citrix.com/ready/ for more information.

Endpoint Device Requirements

The following types of endpoint support smart card authentication:

• Domain-joined and non-domain joined desktop appliances. Desktop appliances are devices that can connect only to virtual desktops; all other services are obtained through the virtual desktop. They can support only one connection at a time.

• Domain-joined fat client computers. These are computers that can connect directly to virtual desktops, applications, and other services. They can run local applications and support simultaneous connections.

Endpoints must have the following installed:

• Microsoft Windows XP or XPe (depending on device type) 32-bit with Service Pack 2 or 3.

• Citrix Desktop Receiver 11.1. For further details about installing the Desktop Receiver, see the Citrix Desktop Receiver Administrator’s Guide.

• Microsoft Internet Explorer 7, if users need to access desktops from a browser.

• Appropriate device drivers for the smart cards and readers.

XenDesktop-ready desktop appliances may also support smart card authentication: consult your supplier for further details about this.

Secure Use of Smart Cards

Your organization may have specific security policies concerning the use of smart cards. These policies may, for example, state how smart cards are issued and how users should safeguard them. Some aspects of these policies may need to be reassessed in a XenDesktop environment:

• Tasks performed by smart card administrators (for example smart card issuance) may be inappropriate for carrying out through XenDesktop. Usually these functions are performed at a dedicated smart card station, and may require two smart card readers.

• Infrequent and sensitive tasks, such as unblocking a smart card or resetting a PIN, may also be inappropriate for carrying out through XenDesktop. Security policies often forbid users to perform these functions; they are carried out by the smart card administrator.

• Highly sensitive applications that require strict separation of duties or tamper-resistant audit trails may entail additional special-purpose security control measures. These measures are outside the scope of XenDesktop.

Configuring Smart Card Authentication

To allow users to authenticate with smart cards, you must use the Web Interface to reconfigure the relevant default Web site provided with XenDesktop, or create new Web sites, as follows:

• You can reconfigure the following default Web sites to incorporate a smart card authentication method:

a. The XenDesktop Services site, which is for full-screen-only use with domain-joined Windows XP and XPe computers.

b. The XenDesktop Web site, which is for users of fat client devices, who need to be able to access desktops from a browser.

• The desktop appliance connector Web site installed as part of XenDesktop does not support smart cards. To enable smart card authentication for desktop appliances you must use XenApp Web sites. For further details, see http://support.citrix.com/article/CTX119227/.

If you need to support more than one authentication method, Citrix recommends that you maintain a separate Web site for each method to ensure the best user authentication experience. Pass-through authentication with smart cards is supported for domain-joined computers. For further details, see http://support.citrix.com/article/CTX119227/.

For details of where on the installation media to find the Web Interface and the Web Interface Access Management Console extension, and the locations of the default Web sites, see “Using the Web Interface with Desktop Delivery Controller” on page 18. For information on how to create and configure Web sites, see the Web Interface Administrator’s Guide.

Managing Smart Card Use

Keep the following points in mind when managing the use of smart cards in your organization:

• Every time a user logs on with a smart card to a non-domain-joined Windows XP desktop appliance, the certificate contained on the smart card is copied from the smart card into the desktop appliance’s personal certificate store. All these certificates are displayed when the user attempts to logon. You should either ensure that the user knows which certificate to select, or manually delete the certificates from the certificate store.

• To use smart cards for digitally signing and encrypting streamed applications in a XenDesktop session, you must create an Ignore rule in the relevant profile and add the following named objects to the rule:

\??\Pipe\CtxSmartCardSvc\*

\\.\Pipe\CtxSmartCardSvc\*

You need to create this Ignore rule only for profiles created using Streaming Profiler 1.2.

For details of creating and updating streaming application profiles, see the Citrix Application Streaming Guide.

Removing Smart Cards

When the user removes their smart card, the XenDesktop behavior depends on the smart card removal policy setting on the virtual desktop:

Windows Server 2003 policy setting:

No action

Lock workstation

Force logoff

Disconnect if a remote Terminal Services session

XenDesktop behavior:

No action.

The XenDesktop session is disconnected and the virtual desktop is locked.

The user is forced to log off. If the network connection is lost and this setting is enabled, the session may be logged off and the user may lose data.

The XenDesktop session is disconnected and the virtual desktop is locked.

There may also be an endpoint smart card removal behavior policy if the endpoint is domain-joined. In this case the endpoint has the default Windows behavior.