Smart Cards

This reference provides the requirements to support pre-session smart card authentication when connecting to VMware Horizon (View) know to work with the latest firmware. It also lists Supported Smart Cards and USB Smart Card Readers for Tera2 PCoIP Zero Clients Connected to PCoIP Connection Managers

Smart Card Dependencies

It is important to test your smart card in your deployment. Changes to smart card vendor and middleware software may cause smart cards to become ineffective in your deployment.

Smart Card Authentication with Leostream Broker (Beta)

Pre-session smart card support with PCoIP Zero Clients when connecting to Remote Workstation Cards or Cloud Access Software with Leostream broker — supported with PCoIP Zero Client firmware 6.4 and Leostream version 9.0.35 beta (Contact Leostream for details on their generally available release). Smart cards cannot be used for single sign-on to a workstation for this solution.

PCoIP Zero Clients support pre-session smart card authentication when connecting to VMware View virtual desktops that meet the system configuration requirements listed below. For deployments that meet these requirements, PCoIP Zero Clients can also read and process smart card information and allows SSO (single sign-on) authentication of the user prior to session establishment.

System Requirements

When used with VMware View 4.5 or higher with smart card authentication enabled, the firmware securely transfers the attached smart card properties to the View Connection Server for authentication and SSO of a user prior to a session. The Zero Client only supports 75 distinguished names when using Smart Card authentication.

Note on distinguished names

The distinguished names are retrieved from the keystore file that is created on the View Connection Server (VCS). The keystore file contains a list of all customer certificates being used.

Smart Card Certificate Requirements

  • Key usage must be set to digital signature

  • Subject common name and/or subject alternative name (other name) must be set

  • Enhanced key usage must include client authentication and/or smart card logon

  • Key length must not be larger than 2048 bit

Virtual Desktop Requirements

  • VMware View 4.5 or higher

  • VM Guest OS: Windows 10 and Windows 7 with VMware View Agent PCoIP smart card component installed

  • PCoIP zero client firmware 3.2.0 or newer (where those smart cards supported in later firmware releases are indicated as such)

  • The Agent’s PCoIP smart card component must be installed for the guest OS to see the smart card reader (this is not installed by default)

Supported USB Smart Card Readers

Warning

Not all readers will function properly with all smart card solutions.

  • Alcor AU9540-GBS (built into selected Samsung PCoIP Zero Clients)

  • Castles Technology EZM110CU (built into selected ClearCube PCoIP Zero Clients)

  • Castles Technology EZM110PU (built into selected ClearCube PCoIP Zero Clients)

  • Cherry SmartBoard keyboard

  • Dell Smart Card USB keyboard SK3205

  • Gemalto PC Twin HWP108765C

  • Gemalto PC Twin HWP108760D

  • Gemalto PC USB-SW

  • Gemalto IDBridge CR20/CT30/CT31

  • HP KUS0133 Smart Card Keyboard

  • Leadtek Alcor Reader

  • OmniKey 3021

  • OmniKey 3121

  • OmniKey 5321 (Note: the 5321 CLi variant is currently not supported)

  • Omnikey 5421

  • Peripheral Dynamics PT-3901

  • SCR331

  • SCR333

  • SCR335

  • SCR3310

  • SCR3310/v2.0

Known Smart Card Readers compatible with SC650/SIPR

  • Omnikey 3021

  • Omnikey 3121

  • Omnikey 5321

  • ClearCube Zero Client with a built-in Omnikey 3021 reader

  • Gemalto GemPC Twin

  • SCM SCR3310 v2

Tested Smartcard Models

GSC-IS and PIV Authentication Flow

The default authentication flow prior to firmware 6.5 was to use the GSC-IS driver before the PIV driver. Now the PIV driver is used first before the GSC-IS driver. If required, you can change the default authentication flow by enabling the Prefer GSC-IS setting. See advanced settings for View Connection Server session type.

When enabled, if a smart card (CAC) supports more than one interface such as GSC-IS and PIV then GSC-IS is used. However in the case where the card supports both GSC-IS and PIV, and only PIV objects are configured on the card then the connection may fail. If this is the case uncheck the box and retest. If a smart card supports only one interface, such as either GSC-IS or PIV endpoint, then only the GSC-IS or PIV endpoint interface is used regardless of this setting. This only affects smart card access performed outside of PCoIP sessions.

Tip: Viewing all columns of a table

Scroll to the bottom of the table and use the horizontal scroll bar to view all columns of large tables

Teradici has tested these specific smart card models:

Model                       Specification and/or Applet Middleware Provider Pre-Session Authentication In-Session Use Comments Processor
Cyberflex Access 64K V2c CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Gemalto Access 64KV2 Note 2,3 Tera1 Tera2
ID-One Cosmo v5.2D 64K CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Oberthur Cosmo64 V5.2D Note 2,3 Tera1 Tera2
ID-One Cosmo v5.2 72K CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One V5.2 Note 2,3 Tera1 Tera2
Cyberflex Access v2c 64K CAC (GSC-IS) ActivClient v2.6.1 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Also referred to as the Gemalto Access 64KV2. Note 2, 3 Tera1 Tera2
ID-One Cosmo v5.2D 72K CAC(PIV Transitional) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 Tera1 Tera2
Gemalto GemCombiXpresso R4 dual interface CAC(PIV Transitional) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto GCX4 72K DI This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 Tera1 Tera2
ID-One Cosmo v5.2D 72K CAC (PIV Endpoint) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 Tera1 Tera2
Gemalto GemCombiXpresso R4 dual interface CAC (PIV Endpoint) ActivClient v2.6.2 applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto GCX4 72K DI This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2, 3 Tera1 Tera2
Gemalto TOP DL GX4 144K CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto TOP DL GX4 144K. This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 Tera1 Tera2
Oberthur ID-One Cosmo 128 v5.5 for DoD CAC CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur ID One 128 v5.5 Dual. This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2 below Tera1 Tera2
CosmopolIC 64K V5.2 CAC (GSC-IS) ActivClient v2.6.2 applet ActivIdentity 3.2.0 and higher 3.2.0 and higher Note 2, 3 Tera1 Tera2
ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2 CAC (PIV Endpoint) ActivClient v2.3.2 applet ActivIdentity 3.4.0 and higher 3.4.0 and higher A PIV Endpoint card uses the T=1 protocol Note 2, 3 Tera1 Tera2
GemCombiXpresso CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Gemalto TOP DL GX4 72K Note 2, 3 Tera1 Tera2
ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK CAC (PIV Endpoint ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Also referred to as the Oberthur CS PIV End Point v1.08 FIPS 201 Note 2, 3 Tera1 Tera2
ID-One Cosmo v7.0 128K CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Note 2, 3 Tera1 Tera2
SmartCafe Expert 144K DI v3.2 CAC (PIV Endpoint) ActivClient v2.6.2b applet ActivIdentity 3.3.0 and higher 3.2.0 and higher Note 2, 3 Tera1 Tera2
Cyberflex Access 64K V2c ACS PKI 1.12 Gemalto Access Client 4.0.0 and higher 3.2.0 and higher Note 3 Tera1 Tera2
Cyberflex Access 64K V2c ACS PKI 1.14 Gemalto Access Client 4.0.0 and higher 3.2.0 and higher Note 3 Tera1 Tera2
Axalto Cryptoflex .NET Gemalto .NET Gemalto/ Windows 3.4.1 and higher 3.2.0 and higher Implements the Gemalto .NET standard. The middleware is built into Windows. Note 3 Tera1 Tera2
SIPR Token (SafeNet SC650) Coolkey applet 90meter 3.5.1 and higher 3.2.0 and higher This card uses 3V power, which many readers do not supply. Please see the reader list for compatible readers. Note 3 Tera1 Tera2
SafeNet SC650 SafeNet PKI SafeNet SHAC 4.1.0 and higher 4.1.0 and higher Note 3 Tera2
SafeNet SC650 Blade SafeNet PKI SafeNet SHAC 5.1.0 and higher 5.1.0 and higher Note 3 Tera2
Atos CardOS CardOS CardOS API 4.1.0 and higher 4.1.0 and higher Note 3 Tera2
eToken 4100 eToken Java SafeNet Authentication Client 5.1.1 and higher 5.1.1 and higher Note 3 Tera2
eToken 5100 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3 Tera1 Tera2
eToken 5105 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3 Tera1 Tera2
eToken 5200 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3 Tera1 Tera2
eToken 5205 eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3 Tera1 Tera2
eToken NG-OTP 72k eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3 Tera1 Tera2
eToken 72k Pro (IN FW 4.1.0) eToken Java SafeNet Authentication Client 4.1.0 and higher 4.1.0 and higher Note 3 Tera1 Tera2
Gemalto IDCore 3020 PIV PIV Windows NIST SP 800-73 PIV (can be provisioned with Charismathics Security Token Configurator 5.0.2) 4.8.0 and higher 4.8.0 and higher Note 3 Install user cert using Charismathics STC Key Pair
Buypass Buypass Proprietary Buypass Proprietary 4.8.0 and higher 4.8.0 and higher Note 3 Requires Buypass Middleware version 6.3.0.45 or later Tera2
SIPR Token (G&D Sm@rtCafé Expert) Coolkey applet 90meter 5.4.1 and higher 3.2.0 and higher Note 3 This G&D card works in all known readers Tera2
Gemalto
IDPrime MD 830 w/o Secure Messaging (enhancements in FW 6.4),
IDPrime MD 840, IDPrime MD 3810
Gemalto Proprietary Gemalto 5.5.0 and higher 5.5.0 and higher Note 3 Gemalto IDPrime MD 830(Level 2) with firmware 6.1.0 or higher supports smart cards provisioned with SafeNet Authentication Client Tera2
PIVkey C980 PIV Taglio PIVKey Installer-User-7.1.0.5 (https://pivkey.com/download/pkuser.zip) 5.5.1 and higher 4.8.0 and higher Note 3 Install user cert using Versasec vSEC_CMS_K2.0 from certificate PFX-File. vSEC-CMS_K2.0.exe can be downloaded as part of https://pivkey.com/pkadmin.zip Certificate can be mapped to container using pivkeytool.exe, which is also included in the Installer-Admin file in pkadmin.zip. More information from https://pivkey.zendesk.com/hc/en-us Tera2
Crescendo 144K FIPS PIV Actividentity 5.5.1 and higher 5.5.1 and higher Note 3 For Pre-session authentication, “Prefer GSC-IS” must be disabled in AWI Advanced Session Connection configuration Tera2
HID Crescendo 144K FIPS Stand-Alone card CAC (GSC-IS 2.1) Actividentity 6.1.0 and higher 6.1.0 and higher Note 3
Tested when provisioned onto G&D Sm@rtCafe Expert 144K v7 cards.
SafeNet eToken 5110 FIPS eToken Java SHAC 2.12.020 6.1.0 and higher 6.1.0 and higher Note 3
SafeNet AT SC650 v3.2 Entrust PIV 2.4.2R0 Windows NIST SP 800-73 PIV (bridged only)
or ActiveIdentity
6.3.0 and higher 6.3.0 and higher
Entrust Entrust PIV 2.4.2R0 Windows NIST SP 800-73 PIV (bridged only)
or ActiveIdentity
6.3.0 and higher 6.3.0 and higher
Oberthur/IDEMIA ID-One Cosmo v8.0, v8.1 ID-One PIV 2.4.0 and 2.4.1 ActivIdentity 6.4.0 and higher 6.3.0 and higher Supported Readers Include
IDBridge CT30/SCR3310/SCR3310 v2.0/Omnikey OK3121/Omnikey 3021
Tera2
Oberthur/IDEMIA ID-One Cosmo v8.0 Alt Token CAC V2.7.4 Applets ActivIdentity 6.4.0 and higher 6.4.0 and higher Tera2
G+D Sm@rtCafe Expert v7.0 CAC V2.7.5 Applets ActivIdentity 6.4.0 and higher 6.4.0 and higher Tera2
Gemalto IDPrime MD 830 Rev B
  • Level 3
  • Level 2 with Secure Messaging Enabled
IDPrime Java Applet 4.3.5.D with Secure Messaging Safenet Authentication Client 10.7 6.4.0 and higher 6.4.0 and higher Tera2
IDEMIA Cosmo 8.1 r2 IAS-ECC V1.0.1 SecMaker Net iD Enterprise 6.8.0.22 21.03.0 and higher 21.03.0 and higher Tera2

Notes:

  1. Your card may be on the supported card list however the applet of the card may not be supported.

  2. Windows 8 virtual machines require ActiveClient 7.0 or newer. The old version (e.g. 6.x) will install but will not work as expected.

  3. Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.

Undocumented Smart Card Support

For smart card authentication and SSO, the smart card must meet one of the following specifications:

  • GSC-IS v2.0 and v2.1 cards (firmware 3.2.0 or higher)
  • PIV transitional cards (firmware 3.4.0 or higher)
  • PIV endpoint cards (firmware 3.4.0 or higher)
  • Gemalto .NET
  • Gemalto Access Client
  • CoolKey
  • CardOS 4.3b / 4.4 (excluding eToken. Supported on Tera2 with FW 4.1.0 and higher)

The communication protocol between the smart card and the reader is referred to as T=X, where X is 0 or 1. Firmware 3.2.0 and higher supports T=0. Firmware 3.4.0 and higher supports T=1.

Support for additional smart card variants will be added to future firmware releases.

Pre-session smart card authentication to remote workstations using PCoIP Remote Workstation Cards is not supported at this time.

Supported Smart Cards and USB Smart Card Readers for Tera2 PCoIP Zero Clients Connected to PCoIP Connection Managers

When used with a PCoIP Connection Manager that supports ID card authentication, the firmware securely transfers the attached ID card identifier to the PCoIP Connection Manager before a session is established.

Virtual Desktop Requirements

  • Tera2 PCoIP Zero Client firmware 5.4 or later

  • Teradici PCoIP Multi-Session Agent running on Windows Server 2016

Supported USB Smart Card Readers

  • Gemalto IDBridge CT30 (legacy name: PC USB TR and PC TWIN)

  • Rocketek RT-SCR1

Supported Smart Card Models

Teradici has tested these specific smart card models:

  • Enhanced BasicCard

  • Payflex Smart Card

  • Open Platform Smart Card