Supported Smart Cards¶
Anyware Linux Clients support pre-session smart card authentication when connecting to Windows Graphics agents and Windows Standard agents, provided that the following system requirements are met. For deployments that meet these requirements, Linux Clients can also read and process smart card information and allow SSO (single sign-on) authentication of the user prior to session establishment.
This topic describes the requirements to support pre-session smart card authentication when connecting to Windows Graphics agents or Windows Standard agents.
Smart Card Dependencies
It is important to test your smart card in your deployment. Changes to smart card vendor applets and middleware software may cause smart cards to become ineffective in your deployment.
Anyware Agent¶
Smart Card Authentication is supported while connecting to the following agents: - Windows Graphics agent 24.03 or later - Windows Standard agent 24.03 or later
Anyware Client¶
At this time, smart Card Authentication is only supported while connecting from Linux Client version 24.03 or later.
Smart Card Certificate Requirements¶
The smart card certificate prerequisites are as follows:
-
Key usage is set to digital signature
-
Subject common name and/or subject alternative name (other name) are set
-
Enhanced key usage must include client authentication and/or smart card logon
-
Key length must not be larger than 2048 bit
Smart Card Readers¶
The following smart card readers have been tested:
-
Belkin USB Smart Card Reader (F1DN008U)
-
Identiv SCR3310 USB Contact Smart Card Reader
Tested Smart Card Models¶
This version of Linux Clients supports both pre-session authentication and in-session use of smart cards. The following smart card models have been tested:
Product Name | Type of Card | Notes |
---|---|---|
Gemalto TOP DL V2.1 144K FIPS | CAC | |
IDEMIA Cosmo v8.0 | Alternate token | |
IDEMIA ID-one 125 V8.0D | CAC | |
G+D Sm@rtCafe Expert v7.0 | CAC | |
G+D Sm@rtCafe Expert v7.0 144K DI | CAC | |
PIVkey C910 | PIV | |
PIVkey C980 | PIV | |
PIVkey C990 | PIV | |
Yubikey 5C | Using PIV interface. | |
Yubikey 5 NFC | Using PIV interface. |
Note: Testing Smart Card Solutions
Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.
Notes¶
-
Smart Card Authentication works only with the Anyware Standard Agent for Windows and the Anyware Graphics Agent for Windows.
-
Smart Card authentication can only be enabled or disabled during installation. If the Anyware agent has already been installed, re-install the software using the instructions below.
-
The interface-driven installer for the Software Client for Linux cannot enable this functionality. You must use the scripted (silent) installer.
-
At present, only a single card and single reader configuration is supported.
-
We have tested ActivClient 7.4.3.13; other versions may work but have not been tested.
-
While in a PCoIP session, the remote desktop's Device Manager will show two identical smart cards. This is expected and does not affect the session.
Known Limitations¶
-
The Interactive logon: Smart card removal behavior is not supported during smart card sessions.
-
When authenticated using smart cards, Anyware Clients cannot recognize HP Digital Badges.
-
Concurrent users cannot log on to agent machines using the same smart card for authentication. Smart cards having multiple certificates allow only one user to log on at a time. to be able to log in, others users must wait until the current users logs off.
Client Setup¶
Note: Agent Setup is Required
To enable authentication using smartcards, configuration is required on agent machines. For more information, see "Enabling Smart Card Authentication Using Linux Clients" in the agent guide.
-
Make sure that you downloaded Anyware Linux Client version 24.03 or later on the client machine.
-
Configure the client machine to connect to the agent machine. Follow the instructions in the topic "Connecting to an Agent Machine" in the Anyware Linux Client guide.
-
Plug the smart card reader into the Client machine, and use your smart card for authenticating the PCoIP session. For instructions on using the smart card to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the topic "Connecting to an Agent Machine" of the Anyware Linux Client guide.