Skip to content

Smart Cards

This reference provides the requirements to support pre-session smart card authentication when connecting to VMware Horizon (View) know to work with the latest firmware. It also lists Supported Smart Cards and USB Smart Card Readers for Tera2 PCoIP Zero Clients Connected to PCoIP Connection Managers

Smart Card Dependencies

It is important to test your smart card in your deployment. Changes to smart card vendor applets and middleware software may cause smart cards to become ineffective in your deployment.

Smart Card Authentication with Leostream Broker (Beta)

Pre-session smart card support with PCoIP Zero Clients when connecting to Remote Workstation Cards or HP Anyware with Leostream broker — supported with PCoIP Zero Client firmware 6.4 and Leostream version 9.0.35 beta (Contact Leostream for details on their generally available release). Smart cards cannot be used for single sign-on to a workstation for this solution.

PCoIP Zero Clients support pre-session smart card authentication when connecting to VMware Horizon virtual desktops that meet the system configuration requirements listed below. For deployments that meet these requirements, PCoIP Zero Clients can also read and process smart card information and allow SSO (single sign-on) authentication of the user prior to session establishment.

System Requirements

When used with VMware Horizon 4.5 or higher with smart card authentication enabled, the firmware securely transfers the attached smart card properties to the View Connection Server for authentication and SSO of a user prior to a session. The Zero Client only supports 75 distinguished names when using Smart Card authentication.

Note on distinguished names

The distinguished names are retrieved from the keystore file that is created on the View Connection Server (VCS). The keystore file contains a list of all customer certificates being used.

Smart Card Certificate Requirements

  • Key usage must be set to digital signature

  • Subject common name and/or subject alternative name (other name) must be set

  • Enhanced key usage must include client authentication and/or smart card logon

  • Key length must not be larger than 2048 bit

Virtual Desktop Requirements

  • VMware Horizon 4.5 or higher.

  • VM Guest OS: Windows 10 or 7.

  • PCoIP zero client firmware 3.2.0 or newer (smart cards supported in later firmware releases are indicated as such).

  • Both Horizon Agent smart card redirection and USB redirection must be installed for users to authenticate using smart cards. These are not selected to be installed by default.

Components and features installed by default can change

When performing an installation or upgrade, make sure the components and features that you require are installed by default. Components and features installed by default can change between releases and cause resources to fail, particularly after an upgrade.

Smart Card Readers

Supported USB Smart Card Readers

Warning

Not all readers will function properly with all smart card solutions.

  • Alcor AU9540-GBS (built into selected Samsung PCoIP Zero Clients)

  • Castles Technology EZM110CU (built into selected ClearCube PCoIP Zero Clients)

  • Castles Technology EZM110PU (built into selected ClearCube PCoIP Zero Clients)

  • Cherry SmartBoard keyboard

  • Dell Smart Card USB keyboard SK3205

  • Gemalto CT700 Smart Card Reader

  • Gemalto PC Twin HWP108765C

  • Gemalto PC Twin HWP108760D

  • Gemalto PC USB-SW

  • Gemalto IDBridge CR20/CT30/CT31

  • HP KUS0133 Smart Card Keyboard

  • Leadtek Alcor Reader

  • OmniKey 3021

  • OmniKey 3121

  • OmniKey 5321 (Note: the 5321 CLi variant is currently not supported)

  • Omnikey 5421

  • Peripheral Dynamics PT-3901

  • SCR331

  • SCR333

  • SCR335

  • SCR3310

  • SCR3310/v2.0

Gemalto CT700 Smart Card Reader

The Gemalto CT700 smart card reader supports pre-session PIN-pad entries when using firmware 22.09 or newer and when the Zero Client is using the View Connection Server session connection type.

Single Sign-on

SSO is not supported when using CT700 PIN Pad

VCS Session Connection Type

Known Smart Card Readers compatible with SC650/SIPR

  • Omnikey 3021

  • Omnikey 3121

  • Omnikey 5321

  • ClearCube Zero Client with a built-in Omnikey 3021 reader

  • Gemalto GemPC Twin

  • SCM SCR3310 v2

Smart Cards

Tested Smart Card Models

GSC-IS and PIV Authentication Flow

The default authentication flow prior to firmware 6.5 was to use the GSC-IS driver before the PIV driver. Now the PIV driver is used first before the GSC-IS driver. If required, you can change the default authentication flow by enabling the Prefer GSC-IS setting. See advanced settings for View Connection Server session type.

When enabled, if a smart card (CAC) supports more than one interface such as GSC-IS and PIV then GSC-IS is used. However in the case where the card supports both GSC-IS and PIV, and only PIV objects are configured on the card then the connection may fail. If this is the case uncheck the box and retest. If a smart card supports only one interface, such as either GSC-IS or PIV endpoint, then only the GSC-IS or PIV endpoint interface is used regardless of this setting. This only affects smart card access performed outside of PCoIP sessions.

Tip: Viewing all columns of a table

Scroll to the bottom of the table and use the horizontal scroll bar to view all columns of large tables

This version of firmware supports pre-session authentication and in-session use.

We have tested these specific smart card models:

Product Name                       Applet Version Middleware Provider Pre-Session Authentication In-Session Use Comments
Cyberflex Access 64K V2c CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Gemalto Access 64KV2 Note 2,3
ID-One Cosmo v5.2D 64K CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Oberthur Cosmo64 V5.2D Note 2,3
ID-One Cosmo v5.2 72K CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One V5.2 Note 2,3
Cyberflex Access v2c 64K CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Gemalto Access 64KV2. Note 2, 3
ID-One Cosmo v5.2D 72K CAC(PIV Transitional) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3
Gemalto GemCombiXpresso R4 dual interface CAC(PIV Transitional) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto GCX4 72K DI This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3
ID-One Cosmo v5.2D 72K CAC (PIV Endpoint) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3
Gemalto GemCombiXpresso R4 dual interface CAC (PIV Endpoint) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto GCX4 72K DI This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2, 3
Gemalto TOP DL GX4 144K CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto TOP DL GX4 144K. This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3
Oberthur ID-One Cosmo 128 v5.5 for DoD CAC CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One 128 v5.5 Dual. This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2 below
CosmopolIC 64K V5.2 CAC (GSC-IS) ActivClient v2.6.2 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Note 2, 3
ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2 CAC (PIV Endpoint) ActivClient v2.3.2 applet ActivIdentity 3.4.0 and higher 3.4.0 and higher A PIV Endpoint card uses the T=1 protocol Note 2, 3
GemCombiXpresso CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto TOP DL GX4 72K Note 2, 3
ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK CAC (PIV Endpoint ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur CS PIV End Point v1.08 FIPS 201 Note 2, 3
ID-One Cosmo v7.0 128K CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Note 2, 3
SmartCafe Expert 144K DI v3.2 CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Note 2, 3
Cyberflex Access 64K V2c ACS PKI 1.12 Gemalto Access Client 4.0.0 and higher 3.2.0 and higher Note 3
Cyberflex Access 64K V2c ACS PKI 1.14 Gemalto Access Client 4.0.0 and higher 3.2.0 and higher Note 3
Axalto Cryptoflex .NET Gemalto .NET Gemalto/ Windows 3.4.1 and higher 3.2.0 and higher Implements the Gemalto .NET standard. The middleware is built into Windows. Note 3
SIPR Token (SafeNet SC650) Coolkey applet 90meter 3.5.1 and higher 3.2.0 and higher This card uses 3V power, which many readers do not supply. Please see the reader list for compatible readers. Note 3
SafeNet SC650 SafeNet PKI SafeNet SHAC 4.1.0 and higher 4.1.0 and higher Note 3
SafeNet SC650 Blade SafeNet PKI SafeNet SHAC 5.1.0 and higher 5.1.0 and higher Note 3
Atos CardOS CardOS CardOS API 4.1.0 and higher 4.1.0 and higher Note 3
eToken 4100 eToken Java SafeNet Authentication Client 5.1.1 and higher 5.1.1 and higher Note 3
eToken 5100 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3
eToken 5105 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3
eToken 5200 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3
eToken 5205 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3
eToken NG-OTP 72k eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3
eToken 72k Pro (IN FW 4.1.0) eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3
Gemalto IDCore 3020 PIV PIV Windows NIST SP 800-73 PIV (can be provisioned with Charismathics Security Token Configurator 5.0.2) 4.8.0 and higher 4.8.0 and higher Note 3 Install user cert using Charismathics STC Key Pair
Import Key Pair from PFX-File
Buypass Buypass Proprietary Buypass Proprietary 4.8.0 and higher 4.8.0 and higher Note 3 Requires Buypass Middleware version 6.3.0.45 or later
SIPR Token (G&D Sm@rtCafé Expert) Coolkey applet 90meter 5.4.1 and higher 3.2.0 and higher Note 3 This G&D card works in all known readers
Gemalto
IDPrime MD 830 w/o Secure Messaging (enhancements in FW 6.4),
IDPrime MD 840, IDPrime MD 3810
Gemalto Proprietary Gemalto 5.5.0 and higher 5.5.0 and higher Note 3 Gemalto IDPrime MD 830(Level 2) with firmware 6.1.0 or higher supports smart cards provisioned with SafeNet Authentication Client
PIVkey C980 PIV Taglio PIVKey Installer-User-7.1.0.5 (https://pivkey.com/download/pkuser.zip) 5.5.1 and higher 4.8.0 and higher Note 3 Install user cert using Versasec vSEC_CMS_K2.0 from certificate PFX-File. vSEC-CMS_K2.0.exe can be downloaded as part of https://pivkey.com/pkadmin.zip Certificate can be mapped to container using pivkeytool.exe, which is also included in the Installer-Admin file in pkadmin.zip. More information from https://pivkey.zendesk.com/hc/en-us
Crescendo 144K FIPS PIV Actividentity 5.5.1 and higher 5.5.1 and higher Note 3 For Pre-session authentication, “Prefer GSC-IS” must be disabled in AWI Advanced Session Connection configuration
HID Crescendo 144K FIPS Stand-Alone card CAC (GSC-IS 2.1) Actividentity 6.1.0 and higher 6.1.0 and higher Note 3
Tested when provisioned onto G&D Sm@rtCafe Expert 144K v7 cards.
Thales/Gemalto/SafeNet eToken 5110 eToken Java SHAC 2.12.020 6.1.0 and higher 6.1.0 and higher Note 3
SafeNet AT SC650 v3.2 Entrust PIV 2.4.2R0 Windows NIST SP 800-73 PIV (bridged only)
or ActiveIdentity
6.3.0 and higher 6.3.0 and higher
Entrust Entrust PIV 2.4.2R0 Windows NIST SP 800-73 PIV (bridged only)
or ActiveIdentity
6.3.0 and higher 6.3.0 and higher
Oberthur/IDEMIA ID-One Cosmo v8.0, v8.1 ID-One PIV 2.4.0 and 2.4.1 ActivIdentity 6.4.0 and higher 6.3.0 and higher Supported Readers Include
IDBridge CT30/SCR3310/SCR3310 v2.0/Omnikey OK3121/Omnikey 3021
Oberthur/IDEMIA ID-One Cosmo v8.0 Alt Token CAC V2.7.4 Applets ActivIdentity 6.4.0 and higher 6.4.0 and higher
G+D Sm@rtCafe Expert v7.0 CAC V2.7.5 Applets ActivIdentity 6.4.0 and higher 6.4.0 and higher
Gemalto IDPrime MD 830 Rev B
  • Level 3
  • Level 2 with Secure Messaging Enabled
IDPrime Java Applet 4.3.5.D with Secure Messaging Safenet Authentication Client 10.7 6.4.0 and higher 6.4.0 and higher
IDEMIA Cosmo 8.1 r2 IAS-ECC V1.0.1 SecMaker Net iD Enterprise 6.8.0.22 21.03.0 and higher 21.03.0 and higher
Thales IDPrime 930 FIPS 140 L2 IDPrime Java Applet 4.5.0E Safenet Authentication Client 10.8 R5 21.10.0 and higher 21.10.0 and higher
Thales IDPrime 930 FIPS 140 L3 IDPrime Java Applet 4.5.0E Safenet Authentication Client 10.8 R5 21.10.0 and higher 21.10.0 and higher
Thales IDPrime 3930 FIPS 140 L2 IDPrime Java Applet 4.5.0E Safenet Authentication Client 10.8 R5 21.10.0 and higher 21.10.0 and higher
Thales IDPrime 940 IDPrime Java Applet 4.4.2.A Safenet Authentication Client 10.8 R5 21.10.0 and higher 21.10.0 and higher
Thales IDPrime 3940 IDPrime Java Applet 4.5.0E Safenet Authentication Client 10.8 R5 21.10.0 and higher 21.10.0 and higher
Thales/Gemalto/SafeNet eToken 5110 eToken Java Applet 1.7.7 Safenet Authentication Client 10.8 R5 21.10.0 and higher 21.10.0 and higher Note 3
SafeNet AT SC650 v4.2 Coolkey 980meter 23.06.0 and higher 23.06.0 and higher Note 3

Notes:

  1. Your card may be on the supported card list however the applet of the card may not be supported.

  2. Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.

  3. Supports the Gemalto CT700 smart card reader

Supported Smart Cards and USB Smart Card Readers for Tera2 PCoIP Zero Clients Connected to PCoIP Connection Managers

When used with a PCoIP Connection Manager that supports ID card authentication, the firmware securely transfers the attached ID card identifier to the PCoIP Connection Manager before a session is established.

Virtual Desktop Requirements

  • Tera2 PCoIP Zero Client firmware 5.4 or later

  • PCoIP Multi-Session Agent running on Windows Server 2016

Supported USB Smart Card Readers

  • Gemalto IDBridge CT30 (legacy name: PC USB TR and PC TWIN)

  • Rocketek RT-SCR1

Supported Smart Card Models

We have tested these specific smart card models:

  • Enhanced BasicCard

  • Payflex Smart Card

  • Open Platform Smart Card