How to Remove the Smart Card Pin Prompt

How to Remove the Smart Card Pin Prompt

book

Article ID: CTX200137

calendar_today

Updated On:

Description

This article describes how to remove the smart card pin prompt when launching published desktops, so that end users are only pin prompted twice.

Background

When configuring smart card authentication to use SSO for external users, end users are pin prompted thrice. The first pin prompt occurs with the initial authentication, the second when launching the published desktops, and third when authenticating to the desktop.

Requirements

  • NetScaler 10.x

  • StoreFront 2.5

Instructions

Complete the following procedure, for end users to be pin prompted twice:

  1. If you have an existing Callback virtual server, use that VIP. Otherwise, create a new virtual server for use as the SSLProxyHost in the "Launch.ica" file.

  2. If you create a new virtual server then create and bind a new certificate for the FQDN.
    Note: Do not bind any Cert Auth Policy to the Authentication tab.

    User-added image

  3. After selecting the virtual server for use as the SSLProxyHost, configure the Optimal NetScaler Gateway routing. Refer to Citrix Documentation - To configure optimal NetScaler Gateway routing for a store.

    Sample Template

    </gateway>  </gateways
  </resourcesGateways>        
  <optimalGatewayForFarmsCollection> \\Start 
	<optimalGatewayForFarms enabledOnDirectAccess="false"> \\This value determines if internal users connect directly to StoreFront will launch Apps through the Gateway.
	<farms>
		<farm name="NHI" /> \\The optimal Gateway will only be applied to resources that are listed here.
	</farms>
	<optimalGateway key="_" name="GatewayForICA" stasUseLoadBalancing="false"
  stasBypassDuration="01:00:00" enableSessionReliability="false"
  useTwoTickets="false"> \\The key value can be left default "_". The name value can be anything. stasUserLoadBalancing is optional. stasBypassduration is option (just follow the format). enableSessionReliability is optional.
	   <hostnames>
		<add hostname="vdi.nhgri.nhi.gov:443" /> \\This is the Gateway URL that will be used in the launch.ica file as the SSLProxyHost
	   </hostnames>
	   <staUrls>
		<add staUrl="http://165.112.174.59:8080/scripts/ctxsta.dll" /> \\This is the STA server StoreFront will use to create the STA ticket
	   </staUrls>
	  </optimalGateway>
	</optimalGatewayForFarms>
	\\You can add another optimalGatewayForFarms - this will be used if you want to use different Gateway for different Farms that are configured on the StoreFront Store
     </optimalGatewayForFarmsCollection> \\End   
  <resourcesService id="b1828383-2029-4eb6-a3e6-f7c879c944aa" />
  <dazzleResources>
<routeTable order="10">

    The following screen shot is an example of the same in a working environment:

    User-added image

  4. After editing the store configuration file to point to the Callback VIP for the SSLProxyhost, save the "Launch.ica" file and verify that the information is correct:

    User-added image

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Issue/Introduction

This article describes how to remove the smart card pin prompt when launching published desktops, so that end users will only be pin prompted twice.

Additional Information

CTX200129 - How to Force Connections through NetScaler Gateway Using Optimal Gateways Feature of StoreFront

Powered by Wolken Software