Enabling Smart Card Authentication Using Zero Clients
Smart Cards, such as PIV cards, may be used to authenticate to your PCoIP Session. Smart Card support requires a Anyware agent and a Anyware Tera2 Zero Client for direct (unbrokered) connections. For brokered connections, a Connection Manager & Security Gateway and a Leostream broker are also required, in addition to the Anyware agent and Anyware Tera2 Zero Client.
Requirements
Component | Version | |
---|---|---|
Client | Anyware Tera2 Zero Client | Firmware 21.01+ |
Infrastructure | (required for brokered connections only, not required for direct connections)
|
|
Host | Anyware Standard or Graphics Agent for Windows | 21.03+ |
ActivClient Middleware | 7.1, 7.2 |
Notes and Limitations
- Smart Card Authentication works only with the Anyware Standard Agent for Windows and the Anyware Graphics Agent for Windows.
- Smart Card authentication can only be enabled or disabled during installation. If the Anyware agent has already been installed, re-install the software using the instructions below.
- The interface-driven installer for the Graphics Agent for Windows cannot enable this functionality. You must use the scripted (silent) installer.
- We have tested ActivClient 7.1 and 7.2; other versions may work but have not been tested.
- While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.
Setup
Before you begin, make sure your installed components meet the minimum requirements described above, and ensure your smart card is configured correctly.
To configure the remote machine:
-
Connect to the remote machine via RDP.
-
On the remote machine, install the Graphics Agent for Windows using the
/InstallVSCReader
argument.-
Windows BAT: Open a Windows command line tool and enter the following:
start /WAIT <path_to_installer> /S /NoPostReboot /InstallVSCReader echo %ERRORLEVEL%
...where
<path_to_installer>
is the system filepath of the installer file. -
Windows PowerShell: Open a PowerShell window and enter the following:
$process = Start-Process -FilePath <path_to_installer> -ArgumentList "/S /NoPostReboot /InstallVSCReader _?<path_to_installer>" -Wait -PassThru; $process.ExitCode
...where
<path_to_installer>
is the system filepath of the installer file. Note that this argument is used twice!
-
-
Configure the Graphics Agent for Windows license information, as described here.
-
Install the ActivClient middleware (available from your SmartCard vendor) on the host machine.
Middleware installation notes
- ActivClient middleware must be installed in a console session.
- To prevent conflicts, only one middleware should be installed.
-
Reboot the remote machine.
To configure the Anyware Tera2 Zero Client:
-
Update the device's firmware to the latest available version.
-
Configure the device to connect to the remote machine (normally, the default auto-detect mode is best).
Connecting
Once the agent and Anyware Tera2 Zero Client are prepared as described, you can connect to a PCoIP session by inserting a SmartCard into the card reader attached to the Anyware Tera2 Zero Client.
To connect to the PCoIP session using the smart card:
-
Plug the smart card reader into the Anyware Tera2 Zero Client.
-
Plug the smart card into the AnywareP Tera2 Zero Client.
-
Enter the IP address of the remote host machine.
-
If required, enter your PIN or credentials when prompted. For detailed instructions, refer to Connecting to a Session Using Smart Cards in the Anyware Zero Client Firmware Administrators' Guide.
Using the Smart Card in a PCoIP Session
You can also use your smart card within a PCoIP session, to authenticate to applications on the remote desktop.
To use your smart card in-session:
-
Attach the smart card reader to the Anyware Tera2 Zero Client.
-
Add your reader to the Anyware Tera2 Zero Client's Bridged Devices table.
-
Log in to the Zero Client's Administrative Web Interface.
-
Select Configuration > USB.
-
In the Bridged Devices section, click Add New and add your reader.
-
Removing Smart Card Support
In order to remove support for Smart Card Authentication, uninstall the agent and then re-install it without using the /InstallVSCReader
option.