Skip to content

Configuring the Leostream Connection Broker for Smart Card Authentication

If the Subject Alternative Name in the Smart Card certificate is in the @ format, you must use the Leostream connection Broker version 2023.2.3.4 and Connection Manager version 23.12 or later. Direct connections are not supported in this scenario.

This topic describes how to configure the Leostream Connection Broker for Smart Card authentication.

Prerequisites

Before configuring the Leostream Connection Broker, make sure that:

  • An Active Directory is set up for your deployment.

  • A Certificate Authority (CA) is available in the Active Directory for signing user certificates during logon using smart cards.

  • A CA certificate or a CA bundle file (if the CA that signs user certificates is not the root CA) is available.

Configuration Process

Note: Additional Reading

For detailed instructions on the configuration process, see this Quick Start Guide.

  1. Install the Leostream Connection Broker version 2023.2.3.4 or later.

  2. Log in to the Connection Broker Web Interface. The web interface is available at the following URL: https:<Leostream broker machine IP address>

    Note: Configuration Details

    Step 3 through Step 8 only describe configuration that is essential. You can choose to set the remaining configuration options as necessary.

  3. Enable Smart Card support:

    1. Go to Configuration > Locations.
    2. Click Create Location.
    3. Under Attribute Selection, set the Client Attribute to "Device Type", Conditional to "is equal to", and Value to "PCoIP".
    4. Select Require PIV smart card for login.

  4. Add the Authentication Server:

    1. Go to Setup > Authentication Servers.
    2. Click Add Authentication Server.
    3. On the Add Authentication Server page, provide the Active Directory Server details.

  5. Under Connection Settings do the following:

    1. Set Specify address using to "Hostnames or IP addresses".
    2. Provide the Hostname or IP address and Port values.
    3. Set Algorithm for selecting from multiple addresses to "Random".
    4. Set Type to "Active Directory".

  6. Under Search Settings, enter the username and password for an account that has permissions to search for other users.

  7. Save your changes.

  8. Upload the CA certificate or the CA bundle file:

    1. Obtain the CA certificate or the CA bundle file.
    2. Go to Setup > Authentication Servers.
    3. Open the Active Directory server you added in step 4.
    4. Under Smart/PIV Card Authentication, click Choose File, and upload the CA certificate or the CA bundle file.
    5. Save your changes.