Configuring XenDesktop for use with SmartcardsConfiguring XenDesktop for use with Smartcards Configuring XenDesktop for use with Smartcards
Configuring XenDesktop for use with Smartcards
Document ID: CTX119227 / Created On: Feb 23, 2009 / Updated On: Feb 23, 2009
Average Rating: not yet rated
View products this document applies to
Summary
This document provides guidance in setting up an example XenDesktop system to work using smartcard logon.
Requirements
It is assumed that you have a stand-alone domain to run the system on. To set up and use smartcard logon, you will need a smartcard enrolment station; a computer from which you will access Microsoft Certificate Services. To simplify the set-up we advise installing the Certification Service on the domain controller, and also using the domain controller as the enrollment station. We will also assume that the domain controller is running Windows 2003 server Windows 2003 R2 server (Windows 2008 server introduces a number of differences in installing, setting up, and using the Certification Service to enroll smartcards with user certificates – the process is essentially the same but the applications used to achieve it are different and have different interfaces).
Certificate Services
The Certificate Services are installed as an optional Windows component; use Add or Remove Programs and click on Add/Remove Windows Components to start the Windows Components Wizard. If you have not installed Application Server (IIS, Application Server Console, ASP .NET, and COM+ access) you should do so before installing the Certificate Services. If you do not install IIS first, the Web-based certificate server (http://localhost/certsrv/ on your domain controller, substitute the domain controller’s name for “localhost” in the URL to access from a different computer) will not be installed and configured when installing Certificate Services, but Certificate Services can be uninstalled and re-installed if necessary.
Enrollment Station
The smartcards Citrix supports all use USB based readers - if the domain controller is a virtual machine, and is not using a virtualization system which supports USB, then you will need a separate physical machine which is a member of the domain to act as an enrollment station; however, we still recommend installing Certificate Services on the domain controller.
Install smartcard and smartcard reader drivers and other smartcard support software on your enrollment station device.
It is advisable to set up and test smartcard logon at this stage, prior to installing and setting up XenDesktop.
Certificate Templates
By default, none of the certificate templates required for smartcards are enabled. To enable the certificate templates:
1. Start the Certification Authority (short cut in the Administrative Tools folder).
2. Right click the Certificate Templates node and select New → Certificate Template to Issue.
3. Select the templates to issue in the list (use CTRL + Right Mouse Button to make multiple selections). You will need Enrollment Agent and either Smartcard Logon or Smartcard User (a Smartcard User certificate can be used for secure email as well as logon).
4. Click OK.
If you are going to allow users to enroll their own smartcards, then you need to allow domain users access to the templates as well. To do this:
1. Right click on the Certificate Templates node and select Manage.
2. For each of the templates:
a. Right click on the template and select Properties.
b. Click Add.
c. Type Domain Users in the text entry box of the pop up dialog.
d. Click OK.
e. Select Domain Users in the list and select the Read, Write and Enroll.
Smartcard drivers and support software
It will not be possible to enroll smartcards unless the appropriate smartcard drivers and certificate providers are installed on the enrollment station. Note, however, that for the GemAlto reader with the .NET smartcard that, although it uses the standard Microsoft smartcard driver, you will need to install the version available from Microsoft under knowledge base article 909520 to get enrollment to work.
The Enrollment Agent
To be able to enroll smartcards you need an enrollment agent, typically an administration role. Such an administrator sets up smartcards for end users. Alternatively, end users can act as their own enrollment agents, and set up their own smartcards.
Setting up a smartcard administrator (enrollment agent as an administration role)
1. Start Internet Explorer on the enrollment station as the user to be given the enrollment agent role (either log on as the user or right click on the Internet Explorer icon on the task bar, select Run as…, and provide the user’s credentials.
2. Navigate to the certsrv Web site (http://localhost/certsrv/ on your domain controller, substitute the domain controller’s name for “localhost” in the URL to access from a different machine).
3. Click on the Request a certificate link.
4. On the next page select the advanced certificate request link.
5. On the next page select the Create and submit a request to this CA link.
6. On the next page choose the Enrollment Agent template in the top drop-down list.
7. Submit and allow the system to install the certificate.
It is worth keeping the Internet Explorer application to later use to enroll smartcards.
The created certificate is installed in the smartcard administrator’s personal certificate folder; you can check this by:
1. Run Microsoft Management Console (MMC) from a Command Prompt running as the enrollment agent user (you can right click on the menu item and select Run as… if you not logged in as the user).
2. On the File menu, select Add/Remove Snap-in.
3. Click Add.
4. Select Certificates.
5. On the Certificates Snap-in dialog that pops up, select the My user account option.
6. There should be a certificate in the folder Certificates – Current User\Personal\Certificates issued to the user which has Certificate Request Agent in the Intended Purposes column.
Setting up a smartcard for another user as a smartcard administrator
You may need to initialize the smartcard before it is possible to enroll it – follow the manufacturer’s guidance.
1. In Internet Explorer running as the smartcard administrator, navigate to the certsrv Web site on the domain controller (http://localhost/certsrv/, substitute the domain controller’s name for “localhost” in the URL to access from a different machine).
2. Click on the Request a certificate link.
3. On the next page select the advanced certificate request link.
4. On the next page select the Request a certificate for a smartcard on behalf of another user using the smartcard certificate enrollment station link.
5. This takes you to a page which uses ActiveX, so you may need to adjust your Internet Explorer settings to get it to work correctly. On this page:
a. Select the template you want to use (Smartcard Logon or Smartcard User).
b. Select the certificate provider appropriate to the smartcard being enrolled.
c. Click Select User.
d. Select the user to whom the card is being issued and click OK.
e. Click Submit.
6. On the next page, allow Windows to install the certificate – this will put it on the smartcard.
7. Check that the smartcard works to log onto a domain joined endpoint. Note that you will in general need to install drivers for the smartcard reader and smartcard on the endpoint machine to do this (see Setting up an endpoint
machine for more information).
Setting up a smart card for oneself
As the smartcard user, use the certserv website to issue a enrollment agent certificate following the same steps as used for a smartcard administrator (this may not be necessary to issue a smartcard to oneself – needs to be checked).
To enroll the smartcard:
1. In Internet Explorer, navigate to the certsrv Web site on the domain controller (http://localhost/certsrv/, substitute the domain controller’s name for “localhost” in the URL to access from a different device).
2. Click on the Request a certificate link.
3. On the next page select the advanced certificate request link.
4. On the next page select the Create and submit a request to this CA link.
5. On the next page:
a. Select either the Smartcard Logon or Smartcard User certificate template.
b. Select the required key size (beware - changing the template resets this field).
c. Click on the Submit button.
6. On the next page, allow Windows to install the certificate – this will put it on the smartcard.
7. Check that the smartcard works to log onto a domain-joined endpoint. Note that you will in general need to install drivers for the smartcard reader and smartcard on the endpoint machine to do this (see Setting up an endpoint machine for more information).
Setting up XenDesktop
Install the Desktop Delivery Controller as normal, and in addition locate and run ASC_WebInterface.msi from the XenDesktop installation media (this cannot be installed using the setup program). This will add the Web Interface administration nodes to the Citrix Management Console.
Create a desktop for your demonstration smartcard user as normal.
To demonstrate Web Interface access to XenDesktop
It is best to create a new Web Interface Web site:
1. Start Citrix Management Console on your Desktop Delivery Controller machine.
2. Right click on the Web Interface node (under Citrix Resources\Configuration Tools) and select Create site (or select the node and click Create Site in the Common Tasks list).
3. Select XenApp Web, and click Next.
4. On the next page, change the path (that is, /Citrix/SmartcardDesktop/).
5. On the next page, leave the point of authentication as At Web Interface, click Next.
6. Check the settings on the next page - go back to change anything wrong or click Next.
7. On the next page, after the site has been created, leave the Configure this site now check box selected and click Next.
8. On the next page:
a. Type in your desktop farm name into the Farm Name text box.
b. Click Add and type the name of the Desktop Delivery Controller machine into the entry dialog, then click OK.
c. Click Next.
9. On the next page, clear the Explicit check box, and select Pass-through with smart card, then click Next.
10. Click through the remaining settings pages and click Finish.
Install the smartcard drivers on each machine to be used as a Virtual Desktop Agent – we recommend doing this before installing the Virtual Desktop Agent software. All of the computers in your smartcard supporting farm should have smartcard drivers installed. You should then be able to log on to the endpoint device using a smartcard, start Internet Explorer and navigate to your smartcard enabled XenDesktop Web site, which should auto-login and, if there is only one desktop choice, auto start and log in the desktop. Using the smartcard with applications on the desktop will require the PIN to be entered.
Demonstrating direct access to XenDesktop
It is probably best to create another new site. Also, this is intended to work using https to communicate with the Desktop Delivery Controller, so you should first issue a certificate for IIS on that device. You can do this using the IIS management console (Internet Information Services (IIS) Manager under Administrative Tools on the start menu):
1. Select the Default Web Site node and open its property page (from the Action menu, or from the toolbar, or from the right mouse button menu).
2. Select the Directory Security tab on the properties page.
3. Click Server Certificate. This starts the Web Server Certificate Wizard.
4. Click Next on the Welcome page, then select Create a new certificate on the Server Certificate page.
5. On the next page, select Send the request immediately to an online certification authority.
6. The settings should be fine on the next page (Name and Security Settings).
7. Set up appropriate names for the local organization on the next page (Organization Information).
8. On the next page (Your Site's Common Name) use the full DNS name rather than the NetBIOS name.
9. Fill in the appropriate values on the next page (Geographical Information).
10. On the next page, SSL Port, the correct value (443) should already be shown.
11. On the next page you probably have no choice of Certification Authority, which should be the certificate server Web site on your domain controller.
12. Check the details on the next page (this is your last chance to go back and change something) .
13. Click Next to create, download, and install the certificate.
You should now have a certificate, and if so, you will be able to click on View Certificate under the Directory Security tab on the properties page.
To set up the Web site:
1. Start Citrix Management Console on your Desktop Delivery Controller.
2. Right click on the Web Interface node (under Citrix Resources\Configuration Tools) and select Create site (or select the node and click Create Site in the Common Tasks list).
3. Select XenApp Service, and click Next.
4. On the next page, change the path (that is, /Citrix/SmartcardService/).
5. Check the settings on the next page - go back to change anything wrong or click Next.
6. On the next page, after the site has been created, leave the Configure this site now check box checked and click Next.
7. On the next page, type in your desktop farm name and the name of the Desktop Delivery Controller machine.
8. On the next page, leave the selection as Remote, and click Finish.
9. Select the config.xml node under the node for the newly created site, right-click and select the Configure authentication methods task (or use the link in the Common Tasks list).
10. Set Pass-through with smart card as the only method, and click Properties.
11. Select Kerberos Authentication in the tree, and check the Use Kerberos to authenticate to XenApp Services site check box.
On your demonstration endpoint machine remove any existent version of Citrix Desktop Reciever or Citrix App Reciever, and run DesktopRecieverFull.msi from the clients folder on the XenDesktop install disk. This will install both Citrix XenApp Web Plugin and Citrix XenApp Plugin.
1. You will need Citrix XenApp Plugin selected for this demonstration (but both can be installed).
2. On the Specify Server Address page of the install wizard type in the Web address for config.xml (that is, https://
3. On the Use Local Name and Password page change the selection to Yes.
4. Reboot the endpoint machine.
5. Log on using your demonstration user’s smart card.
6. The user’s remote desktop should now appear under All Programs on the start menu.
Setting up an endpoint device
Your endpoint device, in general, needs to have drivers installed for both the smartcard reader and smartcard - follow the manufacturer's guidelines. In a few cases, such as the GemAlto PC USB-SL reader used with the GemAlto .NET card, the drivers are standard, but when you plug the reader into an Windows XP computer, it pops up a system
tray item to prompt you to install the Microsoft USB smartcard reader driver (which is not part of the Windows XP installation) - this driver can also be installed using the device manager.
If you are going to demonstrate a domain-joined endpoint with single-sign-on, note that, by default, both Web Interface access and direct access will use the Toolbar Plugin, which does not support single-sign-on on the remote desktop - this means that you have to enter your smart card PIN to log into the remote desktop. Both the Web plugin and the desktop plugin can be changed to use the Full Screen Plugin, which does support single-sign-on on the remote desktop. To do this, in Windows Explorer, find each default.ica file in the corresponding site folder (\Inetpub\wwwroot\Citrix\
[Application]
ConnectionBar=0
Configuring application streaming
This section assumes you already know how to set up a streamed application. this section details how to modify your setup to get streamed applications to work with smart card authentication.
On your profiling device (where you installed the profiler):
1. Run the profiler.
2. Select the XP O/S node (under which you will have created the application profiles).
3. Bring up the properties page.
4. Select Rules.
5. Modify the Default named object ignore rule by adding the following two entries:
\??\Pipe\CtxSmartCardSvc\*
\\.\Pipe\CtxSmartCardSvc\*
6. Save the configuration
On the profiling device and each endpoint device, replace the file SandboxData.xml. The file is found at the following locations:
• On your profiler device: \Program Files\Citrix\Streaming Profiler\SandboxData.xml
• On your endpoint device: \Program Files\Citrix\Streaming Client\SandboxData.xml
Copy and paste this updated text to replace the current text of SandboxData.xml:
<?xml version="1.0" encoding="UTF-8"?>
xsi:schemaLocation="http://www.citrix.com/AIE AIE.xsd">
This document applies to:
XenDesktop 3.0 x32
XenDesktop 3.0 x64
Primary links
User login
Who's new
- Rullydery
- eagenorce
- rittaarier
- swasseZex
- gaterfoko
