Smart Cards¶
This reference provides the requirements to support pre-session smart card authentication when connecting to VMware Horizon (View) know to work with the latest firmware. It also lists Supported Smart Cards and USB Smart Card Readers for Tera2 PCoIP Zero Clients Connected to PCoIP Connection Managers
Smart Card Dependencies
It is important to test your smart card in your deployment. Changes to smart card vendor applets and middleware software may cause smart cards to become ineffective in your deployment.
Smart Card Authentication with Leostream Broker (Beta)
Pre-session smart card support with PCoIP Zero Clients when connecting to Remote Workstation Cards or HP Anyware with Leostream broker — supported with PCoIP Zero Client firmware 6.4 and Leostream version 9.0.35 beta (Contact Leostream for details on their generally available release). Smart cards cannot be used for single sign-on to a workstation for this solution.
PCoIP Zero Clients support pre-session smart card authentication when connecting to VMware Horizon virtual desktops that meet the system configuration requirements listed below. For deployments that meet these requirements, PCoIP Zero Clients can also read and process smart card information and allow SSO (single sign-on) authentication of the user prior to session establishment.
System Requirements¶
When used with VMware Horizon 4.5 or higher with smart card authentication enabled, the firmware securely transfers the attached smart card properties to the View Connection Server for authentication and SSO of a user prior to a session. The Zero Client only supports 75 distinguished names when using Smart Card authentication.
Note on distinguished names
The distinguished names are retrieved from the keystore file that is created on the View Connection Server (VCS). The keystore file contains a list of all customer certificates being used.
Smart Card Certificate Requirements¶
-
Key usage must be set to digital signature
-
Subject common name and/or subject alternative name (other name) must be set
-
Enhanced key usage must include client authentication and/or smart card logon
-
Key length must not be larger than 2048 bit
Virtual Desktop Requirements¶
-
VMware Horizon 4.5 or higher.
-
VM Guest OS: Windows 10 or 7.
-
PCoIP zero client firmware 3.2.0 or newer (smart cards supported in later firmware releases are indicated as such).
-
Both Horizon Agent smart card redirection and USB redirection must be installed for users to authenticate using smart cards. These are not selected to be installed by default.
Components and features installed by default can change
When performing an installation or upgrade, make sure the components and features that you require are installed by default. Components and features installed by default can change between releases and cause resources to fail, particularly after an upgrade.
Smart Card Readers¶
Supported USB Smart Card Readers¶
Warning
Not all readers will function properly with all smart card solutions.
-
Alcor AU9540-GBS (built into selected Samsung PCoIP Zero Clients)
-
Castles Technology EZM110CU (built into selected ClearCube PCoIP Zero Clients)
-
Castles Technology EZM110PU (built into selected ClearCube PCoIP Zero Clients)
-
Cherry SmartBoard keyboard
-
Dell Smart Card USB keyboard SK3205
-
Gemalto PC Twin HWP108765C
-
Gemalto PC Twin HWP108760D
-
Gemalto PC USB-SW
-
Gemalto IDBridge CR20/CT30/CT31
-
HP KUS0133 Smart Card Keyboard
-
Leadtek Alcor Reader
-
OmniKey 3021
-
OmniKey 3121
-
OmniKey 5321 (Note: the 5321 CLi variant is currently not supported)
-
Omnikey 5421
-
Peripheral Dynamics PT-3901
-
SCR331
-
SCR333
-
SCR335
-
SCR3310
-
SCR3310/v2.0
Gemalto CT700 Smart Card Reader¶
The Gemalto CT700 smart card reader supports pre-session PIN-pad entries when using firmware 22.09 or newer and when the Zero Client is using the View Connection Server session connection type.
Single Sign-on
SSO is not supported when using CT700 PIN Pad
Known Smart Card Readers compatible with SC650/SIPR¶
-
Omnikey 3021
-
Omnikey 3121
-
Omnikey 5321
-
ClearCube Zero Client with a built-in Omnikey 3021 reader
-
Gemalto GemPC Twin
-
SCM SCR3310 v2
Smart Cards¶
Tested Smart Card Models¶
GSC-IS and PIV Authentication Flow
The default authentication flow prior to firmware 6.5 was to use the GSC-IS driver before the PIV driver. Now the PIV driver is used first before the GSC-IS driver. If required, you can change the default authentication flow by enabling the Prefer GSC-IS setting. See advanced settings for View Connection Server session type.
When enabled, if a smart card (CAC) supports more than one interface such as GSC-IS and PIV then GSC-IS is used. However in the case where the card supports both GSC-IS and PIV, and only PIV objects are configured on the card then the connection may fail. If this is the case uncheck the box and retest. If a smart card supports only one interface, such as either GSC-IS or PIV endpoint, then only the GSC-IS or PIV endpoint interface is used regardless of this setting. This only affects smart card access performed outside of PCoIP sessions.
Tip: Viewing all columns of a table
Scroll to the bottom of the table and use the horizontal scroll bar to view all columns of large tables
This version of firmware supports pre-session authentication and in-session use.
We have tested these specific smart card models:
| Product Name | Applet Version | Middleware Provider | Pre-Session Authentication | In-Session Use | Comments |
|---|---|---|---|---|---|
| Cyberflex Access 64K V2c | CAC (GSC-IS) ActivClient v2.6.1 applet | ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto Access 64KV2 Note 2,3 |
| ID-One Cosmo v5.2D 64K | CAC (GSC-IS) ActivClient v2.6.1 applet | ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur Cosmo64 V5.2D Note 2,3 |
| ID-One Cosmo v5.2 72K | CAC (GSC-IS) ActivClient v2.6.1 applet | ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One V5.2 Note 2,3 |
| Cyberflex Access v2c 64K | CAC (GSC-IS) ActivClient v2.6.1 applet | ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto Access 64KV2. Note 2, 3 |
| ID-One Cosmo v5.2D 72K | CAC(PIV Transitional) ActivClient v2.6.2 applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
| Gemalto GemCombiXpresso R4 dual interface | CAC(PIV Transitional) ActivClient v2.6.2 applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto GCX4 72K DI This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
| ID-One Cosmo v5.2D 72K | CAC (PIV Endpoint) ActivClient v2.6.2 applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
| Gemalto GemCombiXpresso R4 dual interface | CAC (PIV Endpoint) ActivClient v2.6.2 applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto GCX4 72K DI This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
| Gemalto TOP DL GX4 144K | CAC (PIV Endpoint) ActivClient v2.6.2b applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto TOP DL GX4 144K. This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
| Oberthur ID-One Cosmo 128 v5.5 for DoD CAC | CAC (PIV Endpoint) ActivClient v2.6.2b applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One 128 v5.5 Dual. This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2 below |
| CosmopolIC 64K V5.2 | CAC (GSC-IS) ActivClient v2.6.2 applet | ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Note 2, 3 |
| ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2 | CAC (PIV Endpoint) ActivClient v2.3.2 applet | ActivIdentity | 3.4.0 and higher | 3.4.0 and higher | A PIV Endpoint card uses the T=1 protocol Note 2, 3 |
| GemCombiXpresso | CAC (PIV Endpoint) ActivClient v2.6.2b applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto TOP DL GX4 72K Note 2, 3 |
| ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK | CAC (PIV Endpoint ActivClient v2.6.2b applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur CS PIV End Point v1.08 FIPS 201 Note 2, 3 |
| ID-One Cosmo v7.0 128K | CAC (PIV Endpoint) ActivClient v2.6.2b applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Note 2, 3 |
| SmartCafe Expert 144K DI v3.2 | CAC (PIV Endpoint) ActivClient v2.6.2b applet | ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Note 2, 3 |
| Cyberflex Access 64K V2c | ACS PKI 1.12 | Gemalto Access Client | 4.0.0 and higher | 3.2.0 and higher | Note 3 |
| Cyberflex Access 64K V2c | ACS PKI 1.14 | Gemalto Access Client | 4.0.0 and higher | 3.2.0 and higher | Note 3 |
| Axalto Cryptoflex .NET | Gemalto .NET | Gemalto/ Windows | 3.4.1 and higher | 3.2.0 and higher | Implements the Gemalto .NET standard. The middleware is built into Windows. Note 3 |
| SIPR Token (SafeNet SC650) | Coolkey applet | 90meter | 3.5.1 and higher | 3.2.0 and higher | This card uses 3V power, which many readers do not supply. Please see the reader list for compatible readers. Note 3 |
| SafeNet SC650 | SafeNet PKI | SafeNet SHAC | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| SafeNet SC650 Blade | SafeNet PKI | SafeNet SHAC | 5.1.0 and higher | 5.1.0 and higher | Note 3 |
| Atos CardOS | CardOS | CardOS API | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| eToken 4100 | eToken Java | SafeNet Authentication Client | 5.1.1 and higher | 5.1.1 and higher | Note 3 |
| eToken 5100 | eToken Java | SafeNet Authentication Client | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| eToken 5105 | eToken Java | SafeNet Authentication Client | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| eToken 5200 | eToken Java | SafeNet Authentication Client | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| eToken 5205 | eToken Java | SafeNet Authentication Client | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| eToken NG-OTP 72k | eToken Java | SafeNet Authentication Client | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| eToken 72k Pro (IN FW 4.1.0) | eToken Java | SafeNet Authentication Client | 4.1.0 and higher | 4.1.0 and higher | Note 3 |
| Gemalto IDCore 3020 PIV | PIV | Windows NIST SP 800-73 PIV (can be provisioned with Charismathics Security Token Configurator 5.0.2) | 4.8.0 and higher | 4.8.0 and higher | Note 3 Install user cert using Charismathics STC Key Pair Import Key Pair from PFX-File |
| Buypass | Buypass Proprietary | Buypass Proprietary | 4.8.0 and higher | 4.8.0 and higher | Note 3 Requires Buypass Middleware version 6.3.0.45 or later |
| SIPR Token (G&D Sm@rtCafé Expert) | Coolkey applet | 90meter | 5.4.1 and higher | 3.2.0 and higher | Note 3 This G&D card works in all known readers |
| Gemalto IDPrime MD 830 w/o Secure Messaging (enhancements in FW 6.4), IDPrime MD 840, IDPrime MD 3810 |
Gemalto Proprietary | Gemalto | 5.5.0 and higher | 5.5.0 and higher | Note 3 Gemalto IDPrime MD 830(Level 2) with firmware 6.1.0 or higher supports smart cards provisioned with SafeNet Authentication Client |
| PIVkey C980 | PIV | Taglio PIVKey Installer-User-7.1.0.5 (https://pivkey.com/download/pkuser.zip) | 5.5.1 and higher | 4.8.0 and higher | Note 3 Install user cert using Versasec vSEC_CMS_K2.0 from certificate PFX-File. vSEC-CMS_K2.0.exe can be downloaded as part of https://pivkey.com/pkadmin.zip Certificate can be mapped to container using pivkeytool.exe, which is also included in the Installer-Admin file in pkadmin.zip. More information from https://pivkey.zendesk.com/hc/en-us |
| Crescendo 144K FIPS | PIV | Actividentity | 5.5.1 and higher | 5.5.1 and higher | Note 3 For Pre-session authentication, “Prefer GSC-IS” must be disabled in AWI Advanced Session Connection configuration |
| HID Crescendo 144K FIPS Stand-Alone card | CAC (GSC-IS 2.1) | Actividentity | 6.1.0 and higher | 6.1.0 and higher | Note 3 Tested when provisioned onto G&D Sm@rtCafe Expert 144K v7 cards. |
| Thales/Gemalto/SafeNet eToken 5110 | eToken Java | SHAC 2.12.020 | 6.1.0 and higher | 6.1.0 and higher | Note 3 |
| SafeNet AT SC650 v3.2 | Entrust PIV 2.4.2R0 | Windows NIST SP 800-73 PIV (bridged only) or ActiveIdentity |
6.3.0 and higher | 6.3.0 and higher | |
| Entrust | Entrust PIV 2.4.2R0 | Windows NIST SP 800-73 PIV (bridged only) or ActiveIdentity |
6.3.0 and higher | 6.3.0 and higher | |
| Oberthur/IDEMIA ID-One Cosmo v8.0, v8.1 | ID-One PIV 2.4.0 and 2.4.1 | ActivIdentity | 6.4.0 and higher | 6.3.0 and higher | Supported Readers Include IDBridge CT30/SCR3310/SCR3310 v2.0/Omnikey OK3121/Omnikey 3021 |
| Oberthur/IDEMIA ID-One Cosmo v8.0 Alt Token | CAC V2.7.4 Applets | ActivIdentity | 6.4.0 and higher | 6.4.0 and higher | |
| G+D Sm@rtCafe Expert v7.0 | CAC V2.7.5 Applets | ActivIdentity | 6.4.0 and higher | 6.4.0 and higher | |
Gemalto IDPrime MD 830 Rev B
|
IDPrime Java Applet 4.3.5.D with Secure Messaging | Safenet Authentication Client 10.7 | 6.4.0 and higher | 6.4.0 and higher | |
| IDEMIA Cosmo 8.1 r2 | IAS-ECC V1.0.1 | SecMaker Net iD Enterprise 6.8.0.22 | 21.03.0 and higher | 21.03.0 and higher | |
| Thales IDPrime 930 FIPS 140 L2 | IDPrime Java Applet 4.5.0E | Safenet Authentication Client 10.8 R5 | 21.10.0 and higher | 21.10.0 and higher | |
| Thales IDPrime 930 FIPS 140 L3 | IDPrime Java Applet 4.5.0E | Safenet Authentication Client 10.8 R5 | 21.10.0 and higher | 21.10.0 and higher | |
| Thales IDPrime 3930 FIPS 140 L2 | IDPrime Java Applet 4.5.0E | Safenet Authentication Client 10.8 R5 | 21.10.0 and higher | 21.10.0 and higher | |
| Thales IDPrime 940 | IDPrime Java Applet 4.4.2.A | Safenet Authentication Client 10.8 R5 | 21.10.0 and higher | 21.10.0 and higher | |
| Thales IDPrime 3940 | IDPrime Java Applet 4.5.0E | Safenet Authentication Client 10.8 R5 | 21.10.0 and higher | 21.10.0 and higher | |
| Thales/Gemalto/SafeNet eToken 5110 | eToken Java Applet 1.7.7 | Safenet Authentication Client 10.8 R5 | 21.10.0 and higher | 21.10.0 and higher | Note 3 |
| SafeNet AT SC650 v4.2 | Coolkey | 980meter | 23.06.0 and higher | 23.06.0 and higher | Note 3 |
| STARCOS | STARCOS 3.7 | SecureStore iCA | 23.12 and higher | 23.12 and higher |
Notes:
-
Your card may be on the supported card list however the applet of the card may not be supported.
-
Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.
-
Supports the Gemalto CT700 smart card reader
Supported Smart Cards and USB Smart Card Readers for Tera2 PCoIP Zero Clients Connected to PCoIP Connection Managers¶
When used with a PCoIP Connection Manager that supports ID card authentication, the firmware securely transfers the attached ID card identifier to the PCoIP Connection Manager before a session is established.
Virtual Desktop Requirements
-
Tera2 PCoIP Zero Client firmware 5.4 or later
-
PCoIP Multi-Session Agent running on Windows Server 2016
Supported USB Smart Card Readers
-
Gemalto IDBridge CT30 (legacy name: PC USB TR and PC TWIN)
-
Rocketek RT-SCR1
Supported Smart Card Models
We have tested these specific smart card models:
-
Enhanced BasicCard
-
Payflex Smart Card
-
Open Platform Smart Card