Prerequisites for Smartcard Redirection
Linux clients connecting to Linux agents
Anyware Linux Clients running on Ubuntu 22.04 support in-session smart card authentication when connecting to Linux Graphics agents and Linux Standard agents, provided that the system requirements listed in this topic are met.
In-session smart card authentication involves the use of smart cards after the user connects to their virtual desktops. Smartcards are used to log into the desktop operating systems or to access specific applications during desktop sessions.
Smart Card Dependencies
It is important to test your smart card in your deployment. Changes to smart card vendor applets and middleware software may cause smart cards to become ineffective in your deployment.
Anyware Agent
- Linux Graphics agent 25.03 or later
- Linux Standard agent 25.03 or later
Anyware Client
- Linux Client version 25.03 running on Ubuntu 22.04 or later.
Smart Card Certificate Requirements
The smart card certificate prerequisites are as follows:
-
Key usage is set to digital signature
-
The Subject common name and subject alternative name (other name) are defined
-
Enhanced key usage must include client authentication and/or smart card logon
-
Key length does not exceed 2048 bit
Smart Card Readers
The following smart card readers have been tested:
-
Belkin USB Smart Card Reader (F1DN008U)
-
Identiv SCR3310 USB Contact Smart Card Reader
Tested Smart Card Models
The following smart card models have been tested:
| Product Name | Type of Card | Notes |
|---|---|---|
| Gemalto TOP DL V2.1 144K FIPS | CAC | |
| IDEMIA Cosmo v8.0 | Alternate token | |
| IDEMIA ID-one 125 V8.0D | CAC | |
| G+D Sm@rtCafe Expert v7.0 | CAC | |
| G+D Sm@rtCafe Expert v7.0 144K DI | CAC | |
| PIVkey C910 | PIV | |
| PIVkey C980 | PIV | |
| PIVkey C990 | PIV | |
| Yubikey 5C | Using PIV interface. | |
| Yubikey 5NFC | Using PIV interface. | |
| Smart card verified and tested in customer environment | CoolKey applet | For accessing SIPRNet |
Note: Testing Smart Card Solutions
Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.
Notes
-
Smart Card authentication in enabled by modifying the
pcoip.enable_smart_carddirective on the Linux agent. -
At present, only simultaneous configuration of a single card and single reader is supported.
-
Smartcard authentication is only supported on Ubuntu 22.04 clients connecting to Linux agents. It is not supported while connecting from Zero Clients to Linux agents.
-
If available, configure the Linux Desktop Environment to use smart cards for lock screen authentication.
Known Limitations
-
Elliptic Curve Cryptography (ECC) Certificates are not supported.
-
Concurrent users cannot log on to agent machines using the same smart card for authentication.
-
Smart cards having multiple certificates allow only one user to log on at a time. Others users must wait until the current users logs off before attempting to log on.
-
Single sign on is not supported. Users must authenticate twice: once on the client and again on the host machine's lock screen.
-
If available, configure the Linux Desktop Environment to use smart cards for lock screen authentication.
-
Session locking upon smart card removal is not supported.
-
Session disconnection on smart card removal might not work as expected.
-
If PCoIP sessions on RHEL agent machines fail, disable SELINUX and re-establish a PCoIP session. If this does not work, contact the HP Support team.
-
If PIN prompts do not work on Linux Desktop Environments of RHEL agent machines, use the password to unlock the desktop. Smartcards will be remoted and available to be used in session.
Client Setup
Note: Agent Setup is Required
To enable authentication using smart cards, configuration is required on agent machines. For more information, see "Enabling Smart Card Authentication Using Linux Clients" in the Linux agent guide.
-
Make sure that you downloaded Anyware Linux Client version 25.03 or later on the Ubuntu 22.04 client machine.
-
Configure the client machine to connect to the agent machine. Follow the instructions in the topic Connecting to an Agent Machine.
-
Plug the smart card reader into the client machine.
-
Start a PCoIP session. For a full set of instructions on using smart cards, consult Using Smart Card Authentication to Connect to a Session.