Standard Agent for Windows Administrators' Guide

Enabling Smart Card Authentication Using Linux Clients

Smart card authentication is supported while connecting from Linux Clients to Windows agents. The following section contains information on system requirements, limitations, agent setup, and client setup.

Info

Both pre-session authentication and in-session use of smart cards is supported.

Note: Broker Configuration

Smart card authentication is supported with the Leostream broker or when directly connecting from the client machine to the agent machine. However, if the Subject Alternative Name in the Smart Card certificate is NOT in the { valid username }@{ valid domain } format, direct connections are not supported. You must use the Leostream connection Broker version 2023.2.3.4 and Connection Manager version 23.12 or later in this scenario. For more information, see Configure the Leostream Connection Broker.

General Requirements

Component Version
Client Anyware Linux Client 24.03+
Agent
  • Graphics Agent for Windows
  • Standard Agent for Windows
24.03+
Infrastructure (Required for brokered connections only, not required for direct connections)
  • Connection Manager & Security Gateway 20.07+
  • Leostream broker
 
  ActivClient Middleware
Smart card authentication has been tested using ActivClient 7.4.3.13. Other versions are expected to work, but have not been tested.
7.4.3.13

Info

At this time, smart Card Authentication is only supported while connecting from Linux Client version 24.03 or later.

Smart Card Certificate Requirements

The smart card certificate prerequisites are as follows:

  • Key usage is set to digital signature

  • The Subject common name and subject alternative name (other name) are defined

  • Enhanced key usage must include client authentication and/or smart card logon

  • Key length is not be larger than 2048 bit

Tested Smart Card Readers

The following smart card readers have been tested:

  • Belkin USB Smart Card Reader (F1DN008U)

  • Identiv SCR3310 USB Contact Smart Card Reader

Tested Smart Card Models

The following smart card models have been tested:

Product Name                       Type of Card Notes
Gemalto TOP DL V2.1 144K FIPS CAC   
IDEMIA Cosmo v8.0 Alternate token  
IDEMIA ID-one 125 V8.0D CAC   
G+D Sm@rtCafe Expert v7.0 CAC   
G+D Sm@rtCafe Expert v7.0 144K DI CAC  
PIVkey C910 PIV  
PIVkey C980 PIV  
PIVkey C990 PIV  
Yubikey 5C   Using PIV interface.
Yubikey 5 NFC   Using PIV interface.

Note: Testing Smart Card Solutions

Solutions must be validated in user environments first, as environmental differences including network conditions or other components may impact support.

Notes

  • Smart Card authentication can only be enabled or disabled during installation. If the Anyware agent has already been installed, re-install the software using the agent setup instructions.

  • The interface-driven installer for the Standard Agent for Windows cannot enable this functionality. You must use the scripted (silent) installer.

  • At present, only simultaneous configuration of a single card and single reader is supported.

  • While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.

Known Limitations

  • The Interactive logon: Smart card removal behavior is not supported during sessions authenticated using smart cards.

  • Elliptic Curve Cryptography (ECC) Certificates are not supported.

  • When authenticated using smart cards, Anyware Clients cannot recognize HP Digital Badges.

  • Concurrent users cannot log on to agent machines using the same smart card for authentication.

  • Smart cards having multiple certificates allow only one user to log on at a time. Others users must wait until the current users logs off before attempting to log on.

Agent Setup

Note: Installing Card Reader Drivers

Some card readers might require their drivers to be installed on the agent machine. Consult with the reader manual to determine whether you need to install the required drivers.

  1. Make sure that you downloaded Anyware Agent 24.03 or later to the remote machine.

  2. Connect to the remote machine via RDP.

  3. On the remote machine, install the Standard Agent for Windows using the /InstallVSCReader argument.

    • Windows BAT: Open a Windows command line tool and enter the following:
    start /WAIT <path_to_installer> /S /NoPostReboot /InstallVSCReader
    echo %ERRORLEVEL%
    

    where <path_to_installer> is the system filepath of the installer file.

    • Windows PowerShell: Open a PowerShell window and enter the following:

      $process = Start-Process -FilePath <path_to_installer> -ArgumentList "/S /NoPostReboot /InstallVSCReader _?<path_to_installer>" -Wait -PassThru; $process.ExitCode
      

    where <path_to_installer> is the system filepath of the installer file. Note that this argument is used twice.

  4. Configure the Standard Agent for Windows license information, as described here.

  5. Install the ActivClient middleware (available from your SmartCard vendor) on the host machine. Skip this step if you are using Yubikey 5C or Yubikey 5 NFC.

    Middleware installation notes

    • ActivClient middleware must be installed in a console session.
    • To prevent conflicts, only one middleware should be installed.
  6. Reboot the remote machine.

Client Setup

  1. Make sure that you downloaded Anyware Linux Client version 24.03 or later on the client machine.

  2. Configure the client machine to connect to the agent machine. Follow the instructions in the topic in the Anyware Linux Client guide.

  3. Plug the smart card reader into the Client machine, and use your smart card for authenticating the PCoIP session. For instructions on using the smart card to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the topic Connecting to an Agent Machine.

Removing Smart Card Support

In order to remove support for Smart Card Authentication, uninstall the agent and then re-install it without using the /InstallVSCReader option.

Troubleshooting Issues

Sometimes, you might encounter the following issues on Windows agents running on Windows Server 2022:

  • When Single Sign-On (SSO) is enabled, smart cards are not displayed in the Device Manager list on the remote agent
  • When SSO is disabled, smart cards do not appear on locked screens, and therefore, users cannot use them to unlock the screens

To resolve these issues, make sure that the correct driver is in use for the smart card readers.


Last updated: Saturday, November 9, 2024