Skip to content

Enabling Smart Card Authentication Using Linux Clients

Pre-session smart card authentication is supported while connecting from Linux Clients to Windows Graphics agents. The following section contains information on system requirements, limitations, and agent setup.

Note: Broker Configuration

Smart card authentication is supported with the Leostream broker or when directly connecting from the client machine to the agent machine. However, if the Subject Alternative Name in the Smart Card certificate is in the <valid username>@<valid domain> format, direct connections are not supported. You must use the Leostream connection Broker version 2023.2.3.4 and Connection Manager version 23.12 or later in this scenario. For more information, see Configure the Leostream Connection Broker.

Requirements

Component Version
Client Anyware Linux Client 24.03+
Agent
  • Graphics Agent for Windows
  • Standard Agent for Windows
24.03+
Infrastructure (required for brokered connections only, not required for direct connections)
  • Connection Manager & Security Gateway 20.07+
  • Leostream broker
 
Host Anyware Standard or Graphics Agent for Windows 21.03+
  ActivClient Middleware 7.1, 7.2

Anyware Graphics Agent

Smart Card Authentication is supported while connecting to Windows agent 24.03 or later.

Anyware Client

At this time, smart Card Authentication is only supported while connecting from Linux Client version 24.03 or later.

Smart Card Certificate Requirements

The smart card certificate prerequisites are as follows:

  • Key usage is set to digital signature

  • Subject common name and/or subject alternative name (other name) are set

  • Enhanced key usage must include client authentication and/or smart card logon

  • Key length must not be larger than 2048 bit

Smart Card Readers

The following smart card readers have been tested:

  • Belkin USB Smart Card Reader (F1DN008U)

  • Identiv SCR3310 USB Contact Smart Card Reader

Tested Smart Card Models

This version of Linux Clients supports both pre-session authentication and in-session use of smart cards. The following smart card models have been tested:

Product Name                       Type of Card Notes
Gemalto TOP DL V2.1 144K FIPS CAC   
IDEMIA Cosmo v8.0 Alternate token  
IDEMIA ID-one 125 V8.0D CAC   
G+D Sm@rtCafe Expert v7.0 CAC   
G+D Sm@rtCafe Expert v7.0 144K DI CAC  
PIVkey C910 PIV  
PIVkey C980 PIV  
PIVkey C990 PIV  
Yubikey 5C   Using PIV interface.
Yubikey 5 NFC   Using PIV interface.

Note: Testing Smart Card Solutions

Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.

Notes

  • Smart Card Authentication works only with the Anyware Standard Agent for Windows and the Anyware Graphics Agent for Windows.

  • Smart Card authentication can only be enabled or disabled during installation. If the Anyware agent has already been installed, re-install the software using the instructions below.

  • The interface-driven installer for the Graphics Agent for Windows cannot enable this functionality. You must use the scripted (silent) installer.

  • At present, simultaneous configuration of a single card and single reader is supported.

  • We have tested ActivClient 7.4.3.13; other versions may work but have not been tested.

  • While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.

Known Limitations

  • The Interactive logon: Smart card removal behavior is not supported during smart card sessions.

  • When authenticated using smart cards, Anyware Clients cannot recognize HP Digital Badges.

  • Concurrent users cannot log on to agent machines using the same smart card for authentication. Smart cards having multiple certificates allow only one user to log on at a time. to be able to log in, others users must wait until the current users logs off.

Agent Setup

Note: Installing Card Reader Drivers

Some card readers might require their drivers to be installed on the agent machine. Consult with the reader manual to determine whether you need to install the required drivers.

  1. Make sure that you downloaded Anyware Agent 24.03 or later to the remote machine.

  2. Connect to the remote machine via RDP.

  3. On the remote machine, install the Graphics Agent for Windows using the /InstallVSCReader argument.

    • Windows BAT: Open a Windows command line tool and enter the following:
    start /WAIT <path_to_installer> /S /NoPostReboot /InstallVSCReader
    echo %ERRORLEVEL%
    

    where <path_to_installer> is the system filepath of the installer file.

    • Windows PowerShell: Open a PowerShell window and enter the following:

      $process = Start-Process -FilePath <path_to_installer> -ArgumentList "/S /NoPostReboot /InstallVSCReader _?<path_to_installer>" -Wait -PassThru; $process.ExitCode
      

    where <path_to_installer> is the system filepath of the installer file. Note that this argument is used twice.

  4. Configure the Graphics Agent for Windows license information, as described here.

  5. Install the ActivClient middleware (available from your SmartCard vendor) on the host machine. Skip this step if you are using Yubikey 5C or Yubikey 5 NFC.

    Middleware installation notes

    • ActivClient middleware must be installed in a console session.
    • To prevent conflicts, only one middleware should be installed.

  6. Reboot the remote machine.

Client Setup

  1. Make sure that you downloaded Anyware Linux Client version 24.03 or later on the client machine.

  2. Configure the client machine to connect to the agent machine. Follow the instructions in the topic "Connecting to an Agent Machine" in the Anyware Linux Client guide.

  3. Plug the smart card reader into the Client machine, and use your smart card for authenticating the PCoIP session. For instructions on using the smart card to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the topic "Connecting to an Agent Machine" of the Anyware Linux Client guide.

Removing Smart Card Support

In order to remove support for Smart Card Authentication, uninstall the agent and then re-install it without using the /InstallVSCReader option.