Enabling Smart Card Authentication Using Linux Clients
Smart card authentication is supported while connecting from Linux Clients to Windows agents. The following section contains information on system requirements, limitations, agent setup, and client setup.
Info
Both pre-session authentication and in-session use of smart cards is supported.
Note: Broker Configuration
Smart card authentication is supported with the Leostream broker or when directly connecting from the client machine to the agent machine. However, if the Subject Alternative Name in the Smart Card certificate is NOT in the { valid username }@{ valid domain } format, direct connections are not supported. You must use the Leostream connection Broker version 2023.2.3.4 and Connection Manager version 23.12 or later in this scenario. For more information, see Configure the Leostream Connection Broker.
General Requirements
| Component | Version | |
|---|---|---|
| Client | Anyware Linux Client | 24.03+ |
| Agent |
|
24.03+ |
| Infrastructure | (Required for brokered connections only, not required for direct connections)
|
|
| ActivClient Middleware Smart card authentication has been tested using ActivClient 7.4.3.13. Other versions are expected to work, but have not been tested. |
7.4.3.13 |
Info
At this time, smart Card Authentication is only supported while connecting from Linux Client version 24.03 or later.
Smart Card Certificate Requirements
The smart card certificate prerequisites are as follows:
-
Key usage is set to digital signature
-
The Subject common name and subject alternative name (other name) are defined
-
Enhanced key usage must include client authentication and/or smart card logon
-
Key length is not be larger than 2048 bit
Tested Smart Card Readers
The following smart card readers have been tested:
-
Belkin USB Smart Card Reader (F1DN008U)
-
Identiv SCR3310 USB Contact Smart Card Reader
Tested Smart Card Models
The following smart card models have been tested:
| Product Name | Type of Card | Notes |
|---|---|---|
| Gemalto TOP DL V2.1 144K FIPS | CAC | |
| IDEMIA Cosmo v8.0 | Alternate token | |
| IDEMIA ID-one 125 V8.0D | CAC | |
| G+D Sm@rtCafe Expert v7.0 | CAC | |
| G+D Sm@rtCafe Expert v7.0 144K DI | CAC | |
| PIVkey C910 | PIV | |
| PIVkey C980 | PIV | |
| PIVkey C990 | PIV | |
| Yubikey 5C | Using PIV interface. | |
| Yubikey 5 NFC | Using PIV interface. |
Note: Testing Smart Card Solutions
Solutions must be validated in user environments first, as environmental differences including network conditions or other components may impact support.
Notes
-
Smart Card authentication can only be enabled or disabled during installation. If the Anyware agent has already been installed, re-install the software using the agent setup instructions.
-
The interface-driven installer for the Graphics Agent for Windows cannot enable this functionality. You must use the scripted (silent) installer.
-
At present, only simultaneous configuration of a single card and single reader is supported.
-
While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.
Known Limitations
-
The Interactive logon: Smart card removal behavior is not supported during sessions authenticated using smart cards.
-
Elliptic Curve Cryptography (ECC) Certificates are not supported.
-
When authenticated using smart cards, Anyware Clients cannot recognize HP Digital Badges.
-
Concurrent users cannot log on to agent machines using the same smart card for authentication.
-
Smart cards having multiple certificates allow only one user to log on at a time. Others users must wait until the current users logs off before attempting to log on.
Agent Setup
Note: Installing Card Reader Drivers
Some card readers might require their drivers to be installed on the agent machine. Consult with the reader manual to determine whether you need to install the required drivers.
-
Make sure that you downloaded Anyware Agent 24.03 or later to the remote machine.
-
Connect to the remote machine via RDP.
-
On the remote machine, install the Graphics Agent for Windows using the
/InstallVSCReaderargument.- Windows BAT: Open a Windows command line tool and enter the following:
start /WAIT <path_to_installer> /S /NoPostReboot /InstallVSCReader echo %ERRORLEVEL%where
<path_to_installer>is the system filepath of the installer file.-
Windows PowerShell: Open a PowerShell window and enter the following:
$process = Start-Process -FilePath <path_to_installer> -ArgumentList "/S /NoPostReboot /InstallVSCReader _?<path_to_installer>" -Wait -PassThru; $process.ExitCode
where
<path_to_installer>is the system filepath of the installer file. Note that this argument is used twice. -
Configure the Graphics Agent for Windows license information, as described here.
-
Install the ActivClient middleware (available from your SmartCard vendor) on the host machine. Skip this step if you are using Yubikey 5C or Yubikey 5 NFC.
Middleware installation notes
- ActivClient middleware must be installed in a console session.
- To prevent conflicts, only one middleware should be installed.
-
Reboot the remote machine.
Client Setup
-
Make sure that you downloaded Anyware Linux Client version 24.03 or later on the client machine.
-
Configure the client machine to connect to the agent machine. Follow the instructions in the topic in the Anyware Linux Client guide.
-
Plug the smart card reader into the Client machine, and use your smart card for authenticating the PCoIP session. For instructions on using the smart card to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the topic Connecting to an Agent Machine.
Removing Smart Card Support
In order to remove support for Smart Card Authentication, uninstall the agent and then re-install it without using the /InstallVSCReader option.
Troubleshooting Issues
Sometimes, you might encounter the following issues on Windows agents running on Windows Server 2022:
- When Single Sign-On (SSO) is enabled, smart cards are not displayed in the Device Manager list on the remote agent
- When SSO is disabled, smart cards do not appear on locked screens, and therefore, users cannot use them to unlock the screens
To resolve these issues, make sure that the correct driver is in use for the smart card readers.