Enabling Smart Card Authentication Using Linux Clients¶
Pre-session smart card authentication is supported while connecting from Linux Clients to Windows Graphics agents. The following section contains information on system requirements, limitations, and agent setup.
Note: Broker Configuration
Smart card authentication is supported with the Leostream broker or when directly connecting from the client machine to the agent machine. However, if the Subject Alternative Name in the Smart Card certificate is in the <valid username>@<valid domain> format, direct connections are not supported. You must use the Leostream connection Broker version 2023.2.3.4 and Connection Manager version 23.12 or later in this scenario. For more information, see Configure the Leostream Connection Broker.
Requirements¶
| Component | Version | |
|---|---|---|
| Client | Anyware Linux Client | 24.03+ |
| Agent |
|
24.03+ |
| Infrastructure | (required for brokered connections only, not required for direct connections)
|
|
| Host | Anyware Standard or Graphics Agent for Windows | 21.03+ |
| ActivClient Middleware | 7.1, 7.2 |
Anyware Graphics Agent¶
Smart Card Authentication is supported while connecting to Windows agent 24.03 or later.
Anyware Client¶
At this time, smart Card Authentication is only supported while connecting from Linux Client version 24.03 or later.
Smart Card Certificate Requirements¶
The smart card certificate prerequisites are as follows:
-
Key usage is set to digital signature
-
Subject common name and/or subject alternative name (other name) are set
-
Enhanced key usage must include client authentication and/or smart card logon
-
Key length must not be larger than 2048 bit
Smart Card Readers¶
The following smart card readers have been tested:
-
Belkin USB Smart Card Reader (F1DN008U)
-
Identiv SCR3310 USB Contact Smart Card Reader
Tested Smart Card Models¶
This version of Linux Clients supports both pre-session authentication and in-session use of smart cards. The following smart card models have been tested:
| Product Name | Type of Card | Notes |
|---|---|---|
| Gemalto TOP DL V2.1 144K FIPS | CAC | |
| IDEMIA Cosmo v8.0 | Alternate token | |
| IDEMIA ID-one 125 V8.0D | CAC | |
| G+D Sm@rtCafe Expert v7.0 | CAC | |
| G+D Sm@rtCafe Expert v7.0 144K DI | CAC | |
| PIVkey C910 | PIV | |
| PIVkey C980 | PIV | |
| PIVkey C990 | PIV | |
| Yubikey 5C | Using PIV interface. | |
| Yubikey 5 NFC | Using PIV interface. |
Note: Testing Smart Card Solutions
Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.
Notes¶
-
Smart Card Authentication works only with the Anyware Standard Agent for Windows and the Anyware Graphics Agent for Windows.
-
Smart Card authentication can only be enabled or disabled during installation. If the Anyware agent has already been installed, re-install the software using the instructions below.
-
The interface-driven installer for the Graphics Agent for Windows cannot enable this functionality. You must use the scripted (silent) installer.
-
At present, simultaneous configuration of a single card and single reader is supported.
-
We have tested ActivClient 7.4.3.13; other versions may work but have not been tested.
-
While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.
Known Limitations¶
-
The Interactive logon: Smart card removal behavior is not supported during smart card sessions.
-
When authenticated using smart cards, Anyware Clients cannot recognize HP Digital Badges.
-
Concurrent users cannot log on to agent machines using the same smart card for authentication. Smart cards having multiple certificates allow only one user to log on at a time. to be able to log in, others users must wait until the current users logs off.
Agent Setup¶
Note: Installing Card Reader Drivers
Some card readers might require their drivers to be installed on the agent machine. Consult with the reader manual to determine whether you need to install the required drivers.
-
Make sure that you downloaded Anyware Agent 24.03 or later to the remote machine.
-
Connect to the remote machine via RDP.
-
On the remote machine, install the Graphics Agent for Windows using the
/InstallVSCReaderargument.- Windows BAT: Open a Windows command line tool and enter the following:
start /WAIT <path_to_installer> /S /NoPostReboot /InstallVSCReader echo %ERRORLEVEL%where
<path_to_installer>is the system filepath of the installer file.-
Windows PowerShell: Open a PowerShell window and enter the following:
$process = Start-Process -FilePath <path_to_installer> -ArgumentList "/S /NoPostReboot /InstallVSCReader _?<path_to_installer>" -Wait -PassThru; $process.ExitCode
where
<path_to_installer>is the system filepath of the installer file. Note that this argument is used twice. -
Configure the Graphics Agent for Windows license information, as described here.
-
Install the ActivClient middleware (available from your SmartCard vendor) on the host machine. Skip this step if you are using Yubikey 5C or Yubikey 5 NFC.
Middleware installation notes
- ActivClient middleware must be installed in a console session.
- To prevent conflicts, only one middleware should be installed.
-
Reboot the remote machine.
Client Setup¶
-
Make sure that you downloaded Anyware Linux Client version 24.03 or later on the client machine.
-
Plug the smart card reader into the Client machine, and use your smart card for authenticating the PCoIP session. For instructions on using the smart card to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the topic "Connecting to an Agent Machine" of the Anyware Linux Client guide.
Removing Smart Card Support¶
In order to remove support for Smart Card Authentication, uninstall the agent and then re-install it without using the /InstallVSCReader option.
Note: Updating Smart Card Readers
Sometimes, you might encounter the following issues on Windows agents running on Windows Server 2022:
- When Single Sign-On (SSO) is enabled, smart cards are not displayed in the Device Manager list on the remote agent
- When SSO is disabled, smart cards do not appear on locked screens, and therefore, users cannot use them to unlock the screens