This article describes how to configure XenDesktop to work using Pass-through with smart card logon.

Requirements

Ensure that the following components are installed and configured:

• Windows domain is correctly configured to work with Smart Card authentication. 
  Refer to http://technet.microsoft.com/en-us/library/dd277362.aspx web page of Microsoft TechNet for more information on Smart Cards.                      

• The latest version of Web Interface is installed. In this article, we are assuming that Web Interface and Desktop Delivery Controller (DDC) are on the same machines.
  Refer to http://www.citrix.com/site/SS/downloads/index.asp web page of Citrix to download the latest version of Web Interface.
  Note: The Web Interface server is a part of the Windows domain.

Instructions

Complete the following procedures to configure Pass-through with Smart Cards logon on XenDesktop:

Configuring the Client End Point

The following processes should be in place to configure the Client End Point:

• Ensure that the smart card drivers are installed. Install the mini driver for Gemalto.

• Ensure you have the latest Microsoft BASE CSP libraries. The hotfix is available for these issues.
  Note: Some of the cards, such as ActivIdentity smart cards do not use the Microsoft Base Smart Card Crypto Provider. Hence installing the Microsoft Base CSP libraries is not always mandatory.

• Ensure that the local log on using smart card is working.

Configuring the User Account in Active Directory (AD)

The following processes should be in place to configure the User Account in Active Directory:

1. Ensure you have configured a smart card for the user account.

2. Ensure smart card logon and smart card pass-through logon are enabled through group policy in Active Directory for the user, as explained in the Accessing the template file section. 

3. Load and configure Citrix ADM Group Policy Snap-in.

Citrix uses a Microsoft Active Directory Group Policy ADM template to propagate many settings to multiple Citrix clients. Some of these settings relate to smart card. To access the icaclient.adm file, complete the following procedure.

Accessing the Template File

1. Install the Citrix ICA client on Windows.

2. Access the C:\Program Files\Citrix\ICA Client\Configuration file.

3. Copy this file to the domain controller.

4. On the Active Directory domain controller, run the group policy MMC snap-in for the Default Domain Policy.

5. Select User Configuration.

6. From Policies, navigate to Administrative Templates.

7. Right-click and select Add/Remove Templates.

8. Click Add and select the icaclient.adm file.
   Note: The group policy can be linked at levels other than the domain level. Site level and Organizational Unit level is also available as well as local to an individual machine. In this article, the group  policy is linked to the Domain level.

9. If you are using Windows Server 2008, your Group Policy snap-in should be as displayed in the following screen shot:

   

10. Enable Smart card authentication and Local username and password from User authentication, as displayed in the following screen shot:

    

11. Under Smartcard Authentication, select Allow Smartcard Authentication and Use pass-through authentication for PIN, as displayed in the following screen shot:

    

12. Select Allow pass-through authentication for all ICA connections from the Local user name and password properties, as displayed in the following screen shot:

    

Configuring the Virtual Desktop Agent (VDA)

Complete the following procedure to configure the VDA:

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor. 

1. Ensure that the Microsoft base CSP and smart card drivers are installed on the VDA.

2. If Program Neighborhood Agent / Receiver is used, then ensure that the following registry keys for smart card pin pass-through are created: 

   1. Create a registry key and name it as Program Neighborhood Agent in HKLM\SOFTWARE\Citrix.
      Note: On a 64-bit machine, this registry key should be created in the 32-bit view of the registry because pnamain.exe is a 32-bit application.

   2. Create the key in HKLM\SOFTWARE\Wow6432Node\Citrix.

   3. To the Program Neighborhood Agent registry key, add a REG_DWORD registry value called SmartCardPinPass and set to non-zero.

   4. To the Program Neighborhood Agent registry key, add a REG_DWORD registry value called SmartCardPassthru and set to non-zero.

3. If the Web Interface is used, ensure that the Web Interface site is added to the trusted sites and logon with local username and password is enabled in the Internet Explorer. Complete the following procedure to log on to Internet Explorer:

   1. On the Windows Internet Explorer webpage, select Tools.

   2. From Internet Options, select Security.

   3. Click Custom Level.

   4. Select User Authentication.

   5. Select Automatic Logon with current user and password.

   6. Click OK.

Configuring the XenDesktop Broker/Desktop Delivery Controller (DDC)

Complete the following steps to configure the XenDesktop Broker / DDC:

1. Ensure that the Trust XML service is configured for the following Broker:
   add-PSSnapin citrix*
   set-brokersite –TrustRequestsSentToTheXmlServicePOrt $True

2. Ensure IIS 7 is configured for smart cards in Windows Server 2008.

3. Start IIS.

4. Select the server name.

5. In the IIS section, double-click Server Certification, as displayed in the following screen shot:
   Note: You should obtain a server certificate for the XenDesktop(Broker) server.

6. Navigate to the Default Web site Home.

7. From the Actions section, select Bindings, as displayed in the following screen shot:

   

8. Click Add.

9. Select https as the Type.

10. In the SSl certificate, select the server certificate you obtained earlier, as displayed in the following screen shot:

    

11. Select the server name.

12. On the homepage, select Authentication, as displayed in the following screen shot:

    

13. Double-click the Authentication icon to display the Authentication settings.

14. Ensure to enable the following Authentication:

• Active Directory Client Certificate Authentication.

• Anonymous Authentication.

  

  Note: Active Directory Certificate Authentication option appears only in the server home section.

15. Navigate to the Default Web Site and double-click Authentication and ensure that the following Authentication types are enabled:

• Anonymous

• Basic Authentication

• Digest Authentication

• Windows Authentication

16. Navigate to Defaut Web Site and select SSL settings.

17. Select Require SSL and set Client certificates to Ignore, as displayed in the following screen shot:

    

    Note: If Client certificate is not set to Ignore, the IIS server attempts to verify that the client machine holds the private key corresponding to the public key that the client presents to the IIS server.

18. Ensure XML service port is not sharing the same port as IIS.
    Note: Sharing the same port causes authentication fail after the PIN is entered.
    Refer to CTX125107 - How to Configure XML Service to Share a Port with IIS on 32 and 64 Bit Versions of Windows Server 2008 (Note: Article CTX125107 is written for XenApp but since the steps are same we can refer it for Xendesktop too.)

19. Ensure that the Smart card pass-through authentication is enabled in the PNAgent site/Web Interface site.

20. Change the XML Service port, as displayed in the following screen shot:

    

21. Change the port number in the sites of Citrix Web Interface after changing the XML Service port.

22. To edit the port number, right-click XenApp site or PNAgent site and select Server Farms, as displayed in the following screen shot:

    

CTX219901 - Configuring an SSL Policy Action for Inserting Client Certificate Thumbprint in the HTTP Header on NetScaler 11.1