Smart Card Authentication¶
Smart Cards, such as PIV cards, may be used to authenticate to your PCoIP Session. Smart Card support requires a PCoIP agent and a PCoIP Tera2 Zero Client for direct (unbrokered) connections. For brokered connections, a PCoIP Connection Manager & Security Gateway and a Leostream broker are also required, in addition to the PCoIP agent and PCoIP Tera2 Zero Client.
Requirements¶
Component | Version | |
---|---|---|
Client | PCoIP Tera2 Zero Client | Firmware 21.01+ |
Infrastructure | (required for brokered connections only, not required for direct connections)
|
|
Host | PCoIP Standard or Graphics Agent for Windows | 21.03+ |
ActivClient Middleware | 7.1, 7.2 |
Notes and Limitations¶
- Smart Card Authentication works only with the PCoIP Standard Agent for Windows and the PCoIP Graphics Agent for Windows.
- Smart Card authentication can only be enabled or disabled during installation. If the PCoIP agent has already been installed, re-install the software using the instructions below.
- The interface-driven installer for the Standard Agent for Windows cannot enable this functionality. You must use the scripted (silent) installer.
- We have tested ActivClient 7.1 and 7.2; other versions may work but have not been tested.
- While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.
Setup¶
Before you begin, make sure your installed components meet the minimum requirements described above, and ensure your smart card is configured correctly.
To configure the remote machine:
-
Connect to the remote machine via RDP.
-
On the remote machine, install the Standard Agent for Windows using the
/InstallVSCReader
argument.-
Windows BAT: Open a Windows command line tool and enter the following:
...wherestart /WAIT <path_to_installer> /S /NoPostReboot /InstallVSCReader echo %ERRORLEVEL%
<path_to_installer>
is the system filepath of the installer file. -
Windows PowerShell: Open a PowerShell window and enter the following:
$process = Start-Process -FilePath <path_to_installer> -ArgumentList "/S /NoPostReboot /InstallVSCReader _?<path_to_installer>" -Wait -PassThru; $process.ExitCode
...where
<path_to_installer>
is the system filepath of the installer file. Note that this argument is used twice!
-
-
Configure the Standard Agent for Windows license information, as described here.
-
Install the ActivClient middleware (available from your SmartCard vendor) on the host machine.
Middleware installation notes
- ActivClient middleware must be installed in a console session.
- To prevent conflicts, only one middleware should be installed.
-
Reboot the remote machine.
To configure the PCoIP Tera2 Zero Client:
-
Update the device's firmware to the latest available version.
-
Configure the device to connect to the remote machine (normally, the default auto-detect mode is best).
Connecting¶
Once the agent and PCoIP Tera2 Zero Client are prepared as described, you can connect to a PCoIP session by inserting a SmartCard into the card reader attached to the PCoIP Tera2 Zero Client.
To connect to the PCoIP session using the smart card:
-
Plug the smart card reader into the PCoIP Tera2 Zero Client.
-
Plug the smart card into the PCoIP Tera2 Zero Client.
-
Enter the IP address of the remote host machine.
-
If required, enter your PIN or credentials when prompted. For detailed instructions, refer to Connecting to a Session Using Smart Cards in the PCoIP Zero Client Firmware Administrators' Guide.
Using the Smart Card in a PCoIP Session¶
You can also use your smart card within a PCoIP session, to authenticate to applications on the remote desktop.
To use your smart card in-session:
-
Attach the smart card reader to the PCoIP Tera2 Zero Client.
-
Add your reader to the PcoIP Tera2 Zero Client's Bridged Devices table.
-
Log in to the Zero Client's Administrative Web Interface.
-
Select Configuration > USB.
-
In the Bridged Devices section, click Add New and add your reader.
-
Removing Smart Card Support¶
In order to remove support for Smart Card Authentication, uninstall the agent and then re-install it without using the /InstallVSCReader
option.