This article introduces the new Citrix Director feature "Smart Card based authentication" in XenApp/XenDesktop 7.17.

Instructions

Citrix Director is a monitoring and troubleshooting console that provides real-time and historical health monitoring of the XenApp or XenDesktop Site. Currently Citrix Director only supports user/password and Windows Integrated logon. However, few customers need Smart card based authentication, as some customers do not have user name and password to login to Director. This feature gives an ability on Citrix Director Logon page to ask for smart card swipe and allow the user to login. To log on to Director, insert your smart card into the smart card reader, and enter your smart card token. After you are authenticated, you can access Director without having to provide additional credentials on the Director logon page

Director should be configured to enable Smart Card Authentication via web.config. There will be no fallback to forms authentication if there is login failure using smart card (as is the case with Integrated Windows Authentication).

Below are the steps taken by user to login:-

1. Windows user logs into the client machine , inserts smart card which is configured with a different user and opens browser(browser will be running with logged in user context) and makes request to https://directorhost/director.

2. IIS needs to be set to Anonymous authentication with client certificate mapping with active directory enabled. As Client Certificate will be set to ‘required’ there will be a prompt to select user certificate.

   

3. Once the certificate is selected by the user, they will be prompted to enter the smart card pin.

   

4. Once the user enter the smart card pin, https://directorhost/director certificate will be validated and if the user is an authenticated user then the user’s identity is retrieved and user is redirected to the defaultUrl configured (default.html page). If the authentication fails Director Login failure error is shown. (There is no fallback to form authentication)

5. After this the user will proceed to logon and view the Director console.

   
   

Note: This feature only supports PIV (personal identity verification) smart card and Citrix Director should be configured to use SSL/HTTPS.