While Citrix Presentation Server does officially support smart card logins, there is not much information available on how to configure this. This article is the result of what I've been through to get a CAC (ActivCard), the Tumbleweed PKI Validator, the Web Interface, and passthough authentication working.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
This information is summarized from the Citrix Web Interface Administrator’s Guide, the Citrix Presentation Server 4.0 Administrator’s Guide, the Citrix Presentation Server 4.0 Advanced Concepts Guide, and the ActivCard Gold 3.0 Deployment Guide.
Here's the environment that I'm working with:
- Windows 2003 Server with Service Pack 1 plus hotfixes and IAVAs to date
- Citrix Presentation Server 4.0
- Citrix Web Interface 4.2
- Citrix ICA Client 9.1
Active Card Gold Client
Do not install the smart card reader drivers on the Citrix servers. Instead, ensure the smart card is operating properly on the client workstation. The user should be able to login with smart card or send a secure email.
Then, on the Citrix Servers:
- Install The PS4 hotfix rollup. PSE400W2K3R01. See CTX107594 for details.
- Install ActivCard Gold for CAC PKI 3.0
- Install and configure the Tumbleweed client.
Best practices dictate that installations be performed from the server console. Put the session into install mode by issuing “change user /install” from a command prompt before installing.
Confirm proper operation by logging in to a full desktop on the Citrix server. Check for the ActivCard gold icon on the systray. Insert a card and it should begin reading it. If the acertsrv hangs on exit, then the PS4 Hotfix rollup did not get installed correctly.
The ActivCard Gold 3.0 Deployment Guide makes reference to registry edits and the Citrix scconfig utility. There steps are not necessary in a Presentation Server 4.0 environment. If someone can speak intelligently about earlier versions, feel free to post your thoughts to the comments section of this page and we'll get this article updated.
Citrix Web Interface
The Citrix Web Interface can be configured to use Kerberos pass-through authentication in conjunction with smart cards. The login requests are passed via the Citrix XML service from IIS to the Citrix servers which then perform the authentication events as if the user was on that server. This results in a very simple IIS setup.
Enabling smart card authentication in the Web Interface requires that SSL be used on the Web Interface site. Setup and ensure that SSL is working on the Web Interface site prior to trying anything else.
Once SSL is in place, Directory Service Mapping must be enabled. To do this:
- Open IIS Manager.
- Right Click the Web Sites folder and choose Properties from the menu that appears.
- Select the properties tab and select “Enable the Windows directory service mapper” in the “Secure Communications” section.
The Web Interface site itself must now be configured.
- Open the Citrix Access Suite Management Console on the Web Interface server and run discovery if necessary to find the Web Interface site you wish to work with.
- Under “Configure Authentication” select “Smart Card With Passthrough”
No other changes are required. I found in my testing that if another configuration is selected and then changed, the passthrough will not work and the user is prompted for a PIN. To fix that situation, uninstall the site via the Access Console and recreate. It may be possible to manually edit the configuration file but I did not try.
Make any other changes to the Web Interface site appropriate to your location, such as appearance, Workspace Control etc.
Citrix ICA Client
My testing was done with ICA Client 9.1. According to Citrix documentation, Pass Through Authentication will not work with clients prior to version 6.30.
The FULL Program Neighborhood Client must be installed. This will not work with the Java or Web Client. When it was installed, the “Allow local username and password” must have been answered “yes”. If not, there are scripts available to change the settings but the preferred way is to select it during install.
Once installed, the appsrv.ini file must be edited. For existing users, the file can be found in C:\Documents and Settings\%username%\Application Data\ICAClient
Locate the [WFCLient] section in the appsrv.ini file and add the following if not already present:
You can also find a copy of the appsrv.ini file in C:\Program Files\Citrix and modify it. This is where the appsrv.ini for all new profiles comes from.
To turn on Pass through authentication for clients that were not installed that to allow it, this script runs in KiXtart and is available in the User Defined Function forum at www.kiXtart.org. It can easily be added to a user’s login script to make the changes necessary to allow Citrix passthrough authentication in conjunction with the Web Interface.
; Function CITRIXPASSTHROUGH()
; Author Kent Dyer (email@example.com)
; Contributors Chris Walter
; Cleaned up the code from this page
; Action Change Citrix Program Neighborhood from Standard Mode to pass-through
; Syntax CITRIXPASSTHROUGH()
; Version 1.3
; Date 15-April-2005
; Date Revised 17-June-2005
; Parameters None
; Remarks Once the change is made, you have to logoff and back in to
; "see" the change. Instead of having your users be required to
; login and update passwords every xx days, this picks up on the locally
; logged in user and passes the credentials through to Citrix
; Version 1.1 - Add in logic to update the Farm Registrations to use pass-through
; Version 1.2 - Missed two items in the DIM Statement
; Version 1.3 - Added check to insure that Citrix Program Neighborhood exists (PN.EXE)
; Returns Nothing
; Dependencies Citrix Program Neighborhood - Rights to change Registry at HKLM
; KiXtart Ver 4.02
; Example(s) CITRIXPASSTHORUGH
; KIXTART BBS http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=137223
IF EXIST('C:\Program Files\Citrix\ICA Client\pn.exe')
FOR EACH $section IN split(ReadProfileString($pnfl,'',''),chr(10))
IF $section<>'' AND $section<>'Program Neighborhood' AND $section<>'WFClient'
FOR EACH $val IN Split(ReadProfileString($pnfl,$section,''),Chr(10))
; -- Remove the local user setttings
; -- Enable Pass-Thru
IF NOT INSTR(ReadValue($regkey,'ProviderOrder'),'PnSson')
$x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\NetworkProvider','Name','Citrix Single Sign on','REG_SZ')
'C:\Program Files\Citrix\ICA Client\pnsson.dll','REG_SZ')
; -- Now, let's change Citrix Configuration to be sure that all "Farms" are re-configured for pass-through
$x=MessageBox('We will now log you off and you need to log back on again','Process is complete')
That's it. You should now have a fully functioning Smart Card environment.