Configuring Smart Card authentication for Citrix Presentation Server

While Citrix Presentation Server does officially support smart card logins, there is not much information available on how to configure this. This article is the result of what I've been through to get a CAC (ActivCard), the Tumbleweed PKI Validator, the Web Interface, and passthough authentication working.

While Citrix Presentation Server does officially support smart card logins, there is not much information available on how to configure this. This article is the result of what I've been through to get a CAC (ActivCard), the Tumbleweed PKI Validator, the Web Interface, and passthough authentication working.

This information is summarized from the Citrix Web Interface Administrator’s Guide, the Citrix Presentation Server 4.0 Administrator’s Guide, the Citrix Presentation Server 4.0 Advanced Concepts Guide, and the ActivCard Gold 3.0 Deployment Guide.

Here's the environment that I'm working with:

  • Windows 2003 Server with Service Pack 1 plus hotfixes and IAVAs to date
  • Citrix Presentation Server 4.0
  • Citrix Web Interface 4.2
  • Citrix ICA Client 9.1

Active Card Gold Client

Do not install the smart card reader drivers on the Citrix servers. Instead, ensure the smart card is operating properly on the client workstation. The user should be able to login with smart card or send a secure email.

Then, on the Citrix Servers:

  1. Install The PS4 hotfix rollup. PSE400W2K3R01.  See CTX107594 for details.
  2. Install ActivCard Gold for CAC PKI 3.0
  3. Install and configure the Tumbleweed client.

Best practices dictate that installations be performed from the server console. Put the session into install mode by issuing “change user /install” from a command prompt before installing.

Confirm proper operation by logging in to a full desktop on the Citrix server. Check for the ActivCard gold icon on the systray. Insert a card and it should begin reading it. If the acertsrv hangs on exit, then the PS4 Hotfix rollup did not get installed correctly.

The ActivCard Gold 3.0 Deployment Guide makes reference to registry edits and the Citrix scconfig utility. There steps are not necessary in a Presentation Server 4.0 environment. If someone can speak intelligently about earlier versions, feel free to post your thoughts to the comments section of this page and we'll get this article updated.

Citrix Web Interface

The Citrix Web Interface can be configured to use Kerberos pass-through authentication in conjunction with smart cards. The login requests are passed via the Citrix XML service from IIS to the Citrix servers which then perform the authentication events as if the user was on that server. This results in a very simple IIS setup.

Enabling smart card authentication in the Web Interface requires that SSL be used on the Web Interface site. Setup and ensure that SSL is working on the Web Interface site prior to trying anything else.

Once SSL is in place, Directory Service Mapping must be enabled. To do this:

  1. Open IIS Manager.
  2. Right Click the Web Sites folder and choose Properties from the menu that appears.
  3. Select the properties tab and select “Enable the Windows directory service mapper” in the “Secure Communications” section.

The Web Interface site itself must now be configured.

  1. Open the Citrix Access Suite Management Console on the Web Interface server and run discovery if necessary to find the Web Interface site you wish to work with.
  2. Under “Configure Authentication” select “Smart Card With Passthrough”

No other changes are required. I found in my testing that if another configuration is selected and then changed, the passthrough will not work and the user is prompted for a PIN. To fix that situation, uninstall the site via the Access Console and recreate. It may be possible to manually edit the configuration file but I did not try.

Make any other changes to the Web Interface site appropriate to your location, such as appearance, Workspace Control etc.

Citrix ICA Client

My testing was done with ICA Client 9.1. According to Citrix documentation, Pass Through Authentication will not work with clients prior to version 6.30.

The FULL Program Neighborhood Client must be installed. This will not work with the Java or Web Client. When it was installed, the “Allow local username and password” must have been answered “yes”. If not, there are scripts available to change the settings but the preferred way is to select it during install.

Once installed, the appsrv.ini file must be edited. For existing users, the file can be found in C:\Documents and Settings\%username%\Application Data\ICAClient

Locate the [WFCLient] section in the appsrv.ini file and add the following if not already present:

EnableSSOnThruICAFile=On
SSOnUserSetting=On

You can also find a copy of the appsrv.ini file in C:\Program Files\Citrix and modify it.  This is where the appsrv.ini for all new profiles comes from.

Scripts

To turn on Pass through authentication for clients that were not installed that to allow it, this script runs in KiXtart and is available in the User Defined Function forum at www.kiXtart.org. It can easily be added to a user’s login script to make the changes necessary to allow Citrix passthrough authentication in conjunction with the Web Interface.

 ; Function CITRIXPASSTHROUGH()
 ;
 ; Author  Kent Dyer (
leptonator@hotmail.com)
 ;
 ; Contributors Chris Walter
 ;              
http://thethin.net/archive3.cfm?id=156013
 ;               Cleaned up the code from this page
 ;
 ; Action  Change Citrix Program Neighborhood from Standard Mode to pass-through
 ;
 ; Syntax  CITRIXPASSTHROUGH()
 ;
 ; Version 1.3
 ;
 ; Date           15-April-2005
 ;
 ; Date Revised   17-June-2005
 ;
 ; Parameters  None
 ;
 ; Remarks Once the change is made, you have to logoff and back in to
 ;         "see" the change.  Instead of having your users be required to
 ;         login and update passwords every xx days, this picks up on the locally
 ;         logged in user and passes the credentials through to Citrix
 ;
 ;         Version 1.1 - Add in logic to update the Farm Registrations to use pass-through
 ;         Version 1.2 - Missed two items in the DIM Statement
 ;         Version 1.3 - Added check to insure that Citrix Program Neighborhood exists (PN.EXE)
 ;
 ; Returns Nothing
 ;
 ; Dependencies  Citrix Program Neighborhood - Rights to change Registry at HKLM
 ;
 ; KiXtart Ver 4.02
 ;
 ; Example(s) CITRIXPASSTHORUGH
 ; KIXTART BBS 
http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=137223
 FUNCTION CITRIXPASSTHROUGH()
    DIM $appdt,$pnfl,$appfl,$cappfl,$regkey,$test,$x,$section,$val,$orig
    IF EXIST('C:\Program Files\Citrix\ICA Client\pn.exe')
       $appdt=ReadValue('HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders','AppData')
       $pnfl=$appdt+'\ICAClient\pn.ini'
       $appfl=$appdt+'\ICAClient\APPSRV.INI'
       $regkey='HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order'
       $test=READVALUE($regkey,'ProviderOrder')
       $x=WriteProfileString($appfl,'WFClient','SSOnUserSetting','On')
       $x=WriteProfileString($appfl,'WFClient','EnableSSOnThruICAFile','On')
       $x=WriteProfileString($appfl,'Metaframe','UseLocalUserAndPassword','On')
       FOR EACH $section IN split(ReadProfileString($pnfl,'',''),chr(10))
          IF $section<>'' AND $section<>'Program Neighborhood' AND $section<>'WFClient'
             ;?$section
             FOR EACH $val IN Split(ReadProfileString($pnfl,$section,''),Chr(10))
                ; -- Remove the local user setttings
                $x=WriteProfileString($pnfl,$section,'UseLocalUserAndPassword','')
                $x=WriteProfileString($pnfl,$section,'SavePNPassword','')
                ; -- Enable Pass-Thru
                IF ReadProfileString($pnfl,$section,'UIFlags')<>10
                   $x=WriteProfileString($pnfl,$section,'UIFlags',10)
                ENDIF
                IF ReadProfileString($pnfl,$section,'UIpassword')<>'000100'
                   $x=WriteProfileString($pnfl,$section,'UIpassword','000100')
                ENDIF
             NEXT
          ENDIF
       NEXT
       IF NOT INSTR(ReadValue($regkey,'ProviderOrder'),'PnSson')
          $orig=ReadValue($regkey,'ProviderOrder')
          $x=WriteValue($regkey,'ProviderOrder',$orig+',PnSson','REG_SZ')
          $orig=ReadValue('HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder','ProviderOrder')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder','ProviderOrder',$orig+',PnSson','REG_SZ')
          ;$x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson','IsEnabled',1,'REG_DWORD')
          ;$x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson','Type',4,'REG_DWORD')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\NetworkProvider','Class',2,'REG_DWORD')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\NetworkProvider','Name','Citrix Single Sign on','REG_SZ')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\NetworkProvider', 'ProviderPath',
          'C:\Program Files\Citrix\ICA Client\pnsson.dll','REG_SZ')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\Enum',0,'Root\LEGACY_PNSSON\0000','REG_SZ')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\Enum','Count',1,'REG_DWORD')
          $x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\Enum','NextInstance',1,'REG_DWORD')
          ;$x=WriteValue('HKLM\SYSTEM\CurrentControlSet\Services\PnSson\Enum','Service','PnSson','REG_SZ')
          ; -- Now, let's change Citrix Configuration to be sure that all "Farms" are re-configured for pass-through
          $x=MessageBox('We will now log you off and you need to log back on again','Process is complete')
          $x=LogOff(0)
       ENDIF
    ENDIF
 ENDFUNCTION

That's it. You should now have a fully functioning Smart Card environment.

Join the conversation

16 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Saved me a bit of leg work.  I believe this isn't too far away for us.
 
- Jeff -
Cancel
Greg,
Have you notice that if you set a Message box to display prior to logging ie "Warning: You are logging into a private system!!!", that the CTX gina will hang at "Checking your credentials"? I've seen this on a fully patched PS 4 system. If I remove the CAC card it logs me in. If I remove the message box, it logs me in. To workaround this, I've put the contents of the message box on the WI page. 
 
Thanks
Cancel
ORIGINAL: Guest

Greg,
Have you notice that if you set a Message box to display prior to logging ie "Warning: You are logging into a private system!!!", that the CTX gina will hang at "Checking your credentials"? I've seen this on a fully patched PS 4 system. If I remove the CAC card it logs me in. If I remove the message box, it logs me in. To workaround this, I've put the contents of the message box on the WI page. 

Thanks
     

our disclaimer appears before the login event.  We display it on all machines via GPO.  Once the user clicks the app in the WI, it connects, they see the disclaimer, click ok, then it goes to "Checking your credentials". It rolls normal from there.  The initial authentication seems to take longer with CAC than it did without but we are seeing that on workstations as well.
Cancel
Thanks for the reply. Are you guys running Win2K3 SP1 on your Citrix servers?
Cancel
I agree, great article.  One comment: not all customers have the Tumbleweed solution to handle the CRL validation (due to cost, access, etc.)
Configuring CRL to work without having an automated CRL validator like the Tumbleweed solution requires considerably more work.  Also, not all
Citrix products (new access hardware offerings) work with smart cards in general and the CAC in particular.  Citrix never has published a
comprehensive CAC implementation guide across all of their products.
Cancel
that's all very true.  My goal with this article was to combine some of the information from various sources together.  There are a lot of companies out there looking at this.  I have seen serveral consulting requests for this very setup recently.  Citrix has very little info available on smart cards other than bits and pieces.  ActivCard has even less on their website.
Cancel
What does it mean if you get a message that says your credentials cannot be verified?
Cancel
Do you know if there is a limitation on the number of concurrent users that can use ActivCard or SCL enabled Citrix?
 
NetSign 5.5 SP1 only allows for 25 concurrent sessions on Citrix.
Cancel
Your connections must be direct to Web Interface via HTTPS and not proxied through CSG (Citrix Secure Gateway). You will need separate machines for CSG and WI, or at least separate IP addresses & certs (and disable socket pooling). See the CSG Admin Guide and search for "smart card". It will also require additional 443 ports open.
Cancel
I was having similar problems untill I added the web interface server to the domain.
Cancel
I have separate machines for both CSG and WI. Both have certificates and port 443 open. However, I have absolutely no luck trying to get smart card authentication working using only port 443. Whenever I attempt to launch an app with SSL/TLS encryption enabled, I get a proxy denied access on port 1494 error. I need all communication to go through port 443.

Any idea?
Cancel
Which Ports to Open in the DMZ. Excerpt from the CSG Admin Guide page 47.

Secure Gateway server and an NFuse server are deployed in the demilitarized zone (DMZ).

The STA is deployed behind an internal firewall within the secure network.

The external firewall has port 80 open to allow HTTP traffic to the NFuse server. Port 443 is also open to allow SSL/TLS connections to the NFuse server and the Secure Gateway server. The internal firewall has port 1494 open, between specific IP addresses, to allow connections to the MetaFrame server from the Secure Gateway server. Port 80 is also open, between specific IP addresses, on the internal firewall to allow communications between the Secure Gateway, NFuse, the XML Service, and the STA.

http://www.thin-world.com/nfuse.htm
Cancel
I have a client that has several users from all over the world and the clients are all logged into different domains than that domain that hosts the WI and PS servers. As a result, they have to reenter the PIN for the CAC everytime that they launch an app on a PS server that they do not already have a logon to. Is there a way to make this work to pass the authentication from the WI to the PS servers?
Cancel
This thread is very informative. To get it to work externally, does the csg have to be configured direct instead of indirect mode for the CAC smartcard to work if the CSG and webi are separate machines located in the DMZ?
Cancel
Has anyone run into a situation where older CAC's bring up a secondary username/password box after entering PIN?  This doesn't happen for newer issued cards and I can log directly into the WI with the same card...just can't log into the Citrix session. 
Cancel

I know this post is old but... for the record.

We were having the same problem with either explicit or smart card pass through. We would get an msgina login (or enter pin) whenever we clicked an app and went to another terminal server. 

It turned out this was being caused by a group policy which required password on terminal servers on connection. We have this policy in effect to prevent users from saving their passwords in an RDP file. So even if they were to save their password, the connection on terminal server would request they enter it again.

 Here is the gp location:

Local Computer Policy>Computer Configuration>Administrative Templates>Windows Components>Terminal Services>Encryption and Security : Always prompt for password upon connection. Make sure this is disabled. If not configured, this may get over ridden by another policy.

Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close