PCoIP TROUBLESHOOTING STEPS: Smart cards and Proximity cards
This article provides a brief list of troubleshooting steps and describes some common issues for smart card and proximity card failures. It is not intended to be a comprehensive troubleshooting guide.
Prior to diving into a deep investigation please review the 3 steps below:
Step 1. First confirm if we state that we support the smartcard and card reader being used. Check our Product Admin Guides. This will save a bunch of time.
Step 2. Check the following website to see if there are any known issues with the card reader - https://militarycac.com/usbreaders.htm
Step 3. See KB4262 for basic questions to ask. This is an internal KB and provides guidance to support staff on some basic questions to ask.
This article applies to PCoIP Zero Clients connecting to VMware Horizon View.
Common scenarios covered include:
- Pre-session smart card failure
- In-session smart card failure
- Proximity card failure (Imprivata SSO)
Pre-session smart card failure
Smart card single sign on (pre-session authentication)
For supported smart cards, the user is authenticated by the View Connection Server via the smart card and PIN. Then after selecting the desktop, the session is connected and via single sign on the smart card user is logged into the desktop. The following are required to be installed to support this.
-
- Horizon Agent USB Redirection
- Horizon Agent Smart Card Component(Redirection)
- Smart card mini-driver/middleware
There are smart cards that support both CAC and PIV endpoint interfaces. If such a smart card is being used as a PIV card, the user may be presented with the username/password login dialog instead of the smart card PIN dialog.
To fix this issue, the "Prefer GSC-IS" option needs to be de-selected in the zero client View Connection Server Advanced Session Connection configuration.
Refer to Why doesn't PIN dialog appear when using a PIV smartcard?
In this View Connection Server case, ensure the following:
-
-
Your smartcard and smartcard reader meet the requirements listed here - PCoIP Zero Client requirements to support pre-session smart card authentication when connecting to VMware Horizon plus supported card readers and smart cards
-
The VMware View Agent has been installed with the PCoIP Smart Card Component(Redirection) option and/or the smart card reader is bridged. See scenario 1 knowledge base article Authentication failures with my eToken/smartcard device and VMware Horizon View
-
The smart card authentication is enabled (select optional or required) on the VCS.
-
-
Confirm there are no issues with the middleware (e.g. ActivIdentity).
-
Incorrect certificate configuration on the VCS. See knowledge base article Why does my pre-session smart card authentication fail with my PCoIP Zero Client but not my VMware View client?
- Ensure the Prefer GSC-IS option is correctly configured when using PIV card. Why doesn't PIN dialog appear when using a PIV smartcard?
In-session (aka. post-session) smart card failure
In this case ensure the following:
- The PCoIP Smart Card Component(Redirection) option has not been installed on the VMware View Agent and/or the smart card reader is not bridged. See scenario 3 knowledge base article Authentication failures with my eToken/smartcard device and VMware Horizon View.
Note: Smart card readers should typically not be bridged. Smart card readers should only be bridged if they are required in-session, do not work while not bridged, AND are not on the supported smart card reader list. See the PCoIP Zero Client Firmware Administrators' guide for the current list.
Unsupported Smart Cards
It is possible to use unsupported smart cards while in session. However, authentication using those smart cards in pre-session will likely not work. The following are required for this:
-
- Horizon Agent USB redirection installed
- Horizon Agent Smart Card redirection NOT installed
- Smart card mini-driver/middleware installed
- Smart card reader is bridged (configured in zero client USB table)
Imprivata Single Sign On (SSO) failure
In this case ensure the following:
- Your proximity card and card reader meet the requirements listed in knowledge base article What proximity cards and readers are interoperable with PCoIP Zero Clients and Imprivata OneSign?
- Tap-in and tap-out failure. Please see knowledge base article: What registry keys are required to make the Imprivata tap-in / tap-out functionality work with PCoIP Zero Clients?
General questions:
- Has the VMware View Agent been installed with the PCoIP smart card option selected? *
- Is the smart card reader bridged (If the smart card option is installed then the device should not be bridged)? *
- Has an additional agent been installed after VMware View Agent (Additional agents should be installed after the VMware View agent)? *
- Is the use case pre-session (should not be bridged)?
- Is the use case in-session (should be bridged)? *
- Is the card and card reader model number on the supported list (pre-session)? See PCoIP Zero Client requirements to support pre-session smart card authentication when connecting to VMware Horizon plus supported card readers and smart cards *
- Does the card reader work with a desktop computer? *
- Does the smart card and card reader work with VMware View client? *
- Have you tried multiple cards and card readers? Is the card reader/card broken?
- Does the card reader work without the middleware agent (i.e. Active Identity)? *
* - Typically does not apply to Imprivata authentication
Gathering log files:
- Log on to the zero client AWI.
- Go to Diagnostics > Event Log.
- Enable SMARTCARD enhanced logging or ONESIGN enhanced logging (for Imprivata OneSign proximity cards).
- *** IMPORTANT AT THIS STEP - Reproduce the problem.
- Logon to the Zero Client AWI. (If logged out)
- Go to Diagnostics>Event Log.
- Select View event log messages.
- Copy and paste the entire log file into a text editor like notepad.
- Disable enhanced logging.
- Attach the captured log file to this ticket.
- Identify the name of the middleware software being used (Active Identity, 90meter etc).
- Include the middleware logs if requested by HP Anyware support (The log location to be found in middleware documentation).