This article describes how to configure Citrix StoreFront 2.0 and Smart Card authentication using Gemalto .NET cards against stores for internal users.
The following components are needed to allow users connect through Smart Card to StoreFront:
Citrix StoreFront 2.x
Citrix Receiver for Windows 4.0 or later (for native connections to the stores in StoreFront)
Smart card middleware and drivers installed on a Windows workstation
Smart card drivers installed on Citrix XenApp servers or Citrix XenDesktop Virtual Delivery Agent (VDA) machines
Root and Intermediate Root Certificates properly installed on the Windows workstation and StoreFront
Certificate Revocation List (CRL) of your Certificate Authority (CA) accessible within your network. Windows workstation, Internet Information Services (IIS), XenApp or XenDesktop VDAs requires access to the CRL location to ensure the client certificate has not been revoked.
Gemalto .NET 2.0 Smart Card and USB reader
StoreFront 2.0 running on Windows Server 2012
Citrix XenApp 6.5 Rollup Pack 2 Platinum Edition
Citrix Receiver for Windows 4.0.1.
Strong knowledge of Microsoft Public Key Infrastructure (PKI) and how to configure client certificate/Smart Card authentication on Windows servers.
Complete the following steps to configure Smart Card Authentication on the StoreFront Server:
Complete the following steps to validate the Client Certificate authentication configuration is set correctly on the StoreFront Server:
Open the IIS Manager console and go to Default Web Site > Citrix > Authentication > Certificate.
Verify if Client Certificate Authentication is Working
Before testing Smart card authentication against a store on StoreFront, verify whether client certificate authentication is successfully working. From StoreFront 2.0, there is a test.aspx page located under the Certificate folder (refer following screen shot) that allows IT Administrators to verify if the client certificate settings are taking effect on IIS.Select the client certificate on the Smart card.
Enter the PIN.
If client certificate authentication is working successfully on IIS (where StoreFront is hosted), the following information is displayed:
Note: The test.aspx page contains a script that reads the information from the client certificate used to log on on IIS and display if working successfully.
Note: To enable pass-through with Smart Card authentication for domain-joined Windows workstations, refer to the steps described in Citrix Documentation - Configure smart card authentication to alter the default.ica of StoreFront.
Citrix Documentation - Configure smart card authentication
If you are installing StoreFront on Windows Server 2012, note that non-self-signed certificates installed in the Trusted Root Certification Authorities certificate store on the server are not trusted when IIS is configured to use SSL and client certificate authentication. For more information about this issue, see Microsoft KB - Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors.