Summary
When configuring authentication to an Access Gateway, Enterprise Edition-hosted Virtual Private Network (VPN), you can use smart card hosted certificates. The Access Gateway, Enterprise Edition Administrator's Guide states that only Shinwa smart cards are supported, however, Citrix understands other types of smart card readers are often used. This document describes how to best troubleshoot smart card issues.
Background
When configuring smart card authentication, the authentication type specified on the Access Gateway is Client Cert Authentication (mandatory or optional). Once this is done, the Access Gateway client takes the certificate on the local system’s smart card as well as certificates in the personal store.
Internet Explorer generates a PIN code request when it accesses the smart card reader. The Access Gateway does the same afterwards. If this transaction fails, Citrix suggests the following troubleshooting procedure:
Troubleshooting smart card issues
Most smart card problems can be reproduced using any smart card Cryptographic Service Provider (CSP). Generally, the same problem happens when testing against a non-Access Gateway SSL Web site. The key is isolating the problem. If you are unable to reproduce an issue using another CSP, then Citrix Technical Support may consider it to be an issue specific to that vendor’s CSP.
In that case, Citrix requests that you send a reader and card to test with and upload the version of the CSP software that you are using.
More Information
Additional background or reference information can be found on pages 47-48 of CTX112724 – Citrix Access Gateway Enterprise Edition Administrator's Guide.
