How to Configure StoreFront and Smart Card Authentication for Internal Users using Stores

How to Configure StoreFront and Smart Card Authentication for Internal Users using Stores

book

Article ID: CTX139201

calendar_today

Updated On:

Description

This article describes how to configure Citrix StoreFront 2.0 and Smart Card authentication using Gemalto .NET cards against stores for internal users.

Requirements

The following components are needed to allow users connect through Smart Card to StoreFront:

  • Citrix StoreFront 2.x

  • Citrix Receiver for Windows 4.0 or later (for native connections to the stores in StoreFront)

  • Smart card middleware and drivers installed on a Windows workstation

  • Smart card drivers installed on Citrix XenApp servers or Citrix XenDesktop Virtual Delivery Agent (VDA) machines

  • Root and Intermediate Root Certificates properly installed on the Windows workstation and StoreFront

  • Certificate Revocation List (CRL) of your Certificate Authority (CA) accessible within your network. Windows workstation, Internet Information Services (IIS), XenApp or XenDesktop VDAs requires access to the CRL location to ensure the client certificate has not been revoked.

Note: For the purpose of this article, the following components were used:
  • Gemalto .NET 2.0 Smart Card and USB reader

  • StoreFront 2.0 running on Windows Server 2012

  • Citrix XenApp 6.5 Rollup Pack 2 Platinum Edition  

  • Citrix Receiver for Windows 4.0.1.

Background

  • Strong knowledge of Microsoft Public Key Infrastructure (PKI) and how to configure client certificate/Smart Card authentication on Windows servers.


Instructions

Configure Smart Card Authentication on StoreFront Server

Complete the following steps to configure Smart Card Authentication on the StoreFront Server:

  1. Go to Authentication > Add/Remove Methods.

     User-added image

  2. Select Smart card.

    User-added image

    Note: For simple Smart card authentication with StoreFront, there is no need to manipulate IIS settings anymore.

Validate the Configuration is Correctly Setup

Complete the following steps to validate the Client Certificate authentication configuration is set correctly on the StoreFront Server:

  1. Open the IIS Manager console and go to Default Web Site > Citrix > Authentication > Certificate.

    User-added image
  2. In the Certificate Home pane, select and open SSL Settings.

    User-added image

  3. Ensure the SSL Settings is set to Require SSL and Client Certificates is set to Require.

    User-added image

Verify if Client Certificate Authentication is Working

Before testing Smart card authentication against a store on StoreFront, verify whether client certificate authentication is successfully working. From StoreFront 2.0, there is a test.aspx page located under the Certificate folder (refer following screen shot) that allows IT Administrators to verify if the client certificate settings are taking effect on IIS. 

User-added image

  1. From a Windows workstation with a Smart card reader plugged in, open Internet Explorer and navigate to https://StoreFront-FQDN/Citrix/Authentication/Certificate/test.aspx. The user is prompted for a client certificate and PIN.
    Example:
    URL to the Test.aspx page on StoreFront.

    User-added image

  2. Select the client certificate on the Smart card.

    User-added image
  3. Enter the PIN.

    User-added image

    If client certificate authentication is working successfully on IIS (where StoreFront is hosted), the following information is displayed:

    User-added image

    Note: The test.aspx page contains a script that reads the information from the client certificate used to log on on IIS and display if working successfully.

After the IIS has been verified to accept client certificates as authentication, the next step is to test using Citrix Receiver to the store.

From Windows Workstation

  1. Open Citrix Receiver and at the First Time Use (FTU) prompt, enter the FQDN of the StoreFront server.

    User-added image

  1. A prompt for PIN on the client certificate appears.

    User-added image

    Note: If you have more than one client certificate on the Smart card, you are prompted to select one of the certificates.

    User-added image

  2. Click Log On. StoreFront authenticates the user and presents the store description.

    User-added image

  1. Click Yes. The account is added successfully.

    User-added image

  1. Click Finish. The published applications are displayed.

    User-added image

  1. When an application is clicked, XenApp server prompts the user for PIN.

    User-added image

    User-added image

    User-added image

Note: To enable pass-through with Smart Card authentication for domain-joined Windows workstations, refer to the steps described in Citrix Documentation - Configure smart card authentication to alter the default.ica of StoreFront.

Issue/Introduction

This article describes how to configure Citrix StoreFront 2.x and Smart Card authentication using Gemalto .NET cards against stores for internal users.

Additional Information

Citrix Documentation - Configure smart card authentication

If you are installing StoreFront on Windows Server 2012, note that non-self-signed certificates installed in the Trusted Root Certification Authorities certificate store on the server are not trusted when IIS is configured to use SSL and client certificate authentication. For more information about this issue, see Microsoft KB - Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors.