1 2 Previous Next 16 Replies Latest reply on Mar 6, 2020 7:02 AM by hschimpf

    Smart Card drivers and App Volumes

    ap_idb Enthusiast

      Hello all,

       

      I have an web-app which requires a smart card to authenticate. I've read in various blog posts that this is doable, so I'm trying to do it. The OS Sees the Smart Card via Device Manager, and if I run "certutil -scinfo" I get the cert info, and it even prompts me for the PIN through the middleware client. However, the middleware client is not seeing the card and showing errors as if the card was removed. My guess is possible the mount-point is throwing off the apps search for the card. Anyone have experience with this? I don't want to last-resort install this to a gold image...

       

      INFO:

      Card Reader - Gemalto CT30

      Thin Client - HP T530 running ThinPro 7 (includes ccid driver for the reader)

      Horizon 7.7

      Windows 10 x 1803

      App Volumes 2.16

       

      Package includes:     Nexus Personal, Euclid WebClient, Gemalto Safenet Authentication Client (all of this is included in the package provide by Euclid Webclient

        • 1. Re: Smart Card drivers and App Volumes
          cliffvmwareeuc Novice
          VMware Employees

          So are you saying that you have the SC driver installed in an appstack and its not working?

          • 2. Re: Smart Card drivers and App Volumes
            ap_idb Enthusiast

            I have the SC Driver installed, correct.

             

             

            It works if: I redirect the smartcard. I run "certutil -scinfo", and I define works as in the certificates on the card are seen. In this case, The middleware application does not see the card and I get an error as if the card is missing. I've not seen any discussion about smart cards on App Volumes here, but I have seen some bloggers (Age Roskam comes to mind) that state it's doable.

            • 3. Re: Smart Card drivers and App Volumes
              cliffvmwareeuc Novice
              VMware Employees

              It may be possible to put "certutil -scinfo" in a batch file....most likely a batch file thats run on logon such as logon.bat or logon_postsvc.bat

              Check out the documentation for which script would best suit the driver and you can set these by attaching a volume to a VM without the Agent installed.

              • 4. Re: Smart Card drivers and App Volumes
                ap_idb Enthusiast

                Not fully understanding so don't mind my question - Are you saying that because you believe running that at logon has any impact?

                • 5. Re: Smart Card drivers and App Volumes
                  cliffvmwareeuc Novice
                  VMware Employees

                  Sorry i was wrong there...

                  They are used to login to the actual application

                  Running the command you provided allows the smart card to work....so do you need to run the command everytime the user wishes to use the application?

                  • 6. Re: Smart Card drivers and App Volumes
                    ap_idb Enthusiast

                    No, I run that command to confirm I can see the smart card, it's a built in windows command, basically certutil smart card info

                    • 7. Re: Smart Card drivers and App Volumes
                      cliffvmwareeuc Novice
                      VMware Employees

                      Ok, its interesting. Can you open a case for this.

                      • 9. Re: Smart Card drivers and App Volumes
                        Ray_handels Master
                        Community WarriorsvExpert

                        I don't think smart card will work if you add the driver into an appstack. The thing is that the driver is being added during logon and the service for it already runs during startup so even though the smartcard is being redirected succesfully it cannot use the driver.

                         

                        If you look at a printer for example you can add a print driver into an appstack but it will only work after restarting the print spooler service. You might wanna try and restart the smartcard service after logon, it might be able to initialize the driver after that.

                         

                        We had somewhat of the same issue with specific mouses with their own driver. We needed to add those drivers to the Golden Image for it to work.

                        1 person found this helpful
                        • 10. Re: Smart Card drivers and App Volumes
                          hschimpf Enthusiast

                          Hi,

                           

                          so we had similar issues where the SC was seen in Windows but unable to be used. We did the following to get it to work.

                           

                          First we need to forward the SC using Vendor and Product IDs on our Zero Clients (DELL WYSE w Teradici). After Bridging the SC it started showing in Windows.

                           

                          The drivers in Windows are taken from Windows itself so we didn't use any special drivers. The Middleware is inside an AppStack but didn't recognize the SC after USB Bridging.

                           

                          In our Environment we use a Proxy to prevent Systems from randomly Accessing the Internet. After a lot of troubleshooting we found that the Gemalto SC Stick needs to send telemetry to Microsoft before starting to work. Unfortunately this doesn't work via the User proxy but has to be done using the NetShell proxy. So after adding the NetShell proxy to the golden image, we got it to work.

                           

                          The last thing we found during this troubleshooting was that if you enable SC redirect in the Horizon agent, it stopped working again. So for us we needed to reinstall the agent without SC redirection enabled and it started working again.

                           

                          This solution has worked for different types of SC sticks, readers and pin pads. One is used for Web Authentication as well and it's working with this solution. None of the respective components are installed in the golden image. All software needed for the individual SC comes from AppStack.

                           

                          Hope this helps shine a light and maybe gives you an idea what else you can try.

                           

                          Best regards,

                           

                          Raetke

                          1 person found this helpful
                          • 11. Re: Smart Card drivers and App Volumes
                            ap_idb Enthusiast

                            Appreciate the feedback. SmartCard redirection is in fact enabled on my agent. In fact, Windows sees the smart card ONLY when I have it enabled and bridged from my HP ThinPro thin client. Running certutil -scinfo shows that windows OS can interact with the card, and in fact I get a prompt from our middleware (Nexus Personal) to input the pin. But the middleware itself...doesn't see any smartcard device.

                             

                            If I do USB-Redirection, middleware sees the smart-card but Windows does not. Frustrating...

                             

                            I may need to test this out in a test pool after my next image update, but I appreciate the feedback. It's unfortunate, as I have a large group of users that rely on smart-card authentications.

                            • 12. Re: Smart Card drivers and App Volumes
                              hschimpf Enthusiast

                              It might indeed be worth to test if having the drivers in the master image. Then again we never used any special drivers, just the default ones provided by Windows/VMware tools.

                               

                              Just for my understanding, if you disable the redirection in the Horizon agent, you can see the SC in your Middleware and it is usable?

                               

                              Best regards,

                               

                              Raetke

                              • 13. Re: Smart Card drivers and App Volumes
                                ap_idb Enthusiast

                                I tried your suggestion regarding winhttp proxy, and I have it set correctly but also bypassing localhost. Unfortunately it still has issues, the token middleware shows the same error 10022 about token not found when I try to access their site.A headache, I'm sure I'm doing this correctly but it just won't work. May I ask if Nexus Personal is a middleware you've tried with?

                                • 14. Re: Smart Card drivers and App Volumes
                                  hschimpf Enthusiast

                                  Very very strange. We've been using LuxTrust Middleware, Barclaycard online login and Datev which all started working after what I've described. Have you tried installing everything into the master image and using that in a test pool? There may be steps the software does which aren't captured by AppVolumes or are excluded in the snapvol.cfg.

                                   

                                  Best Regards,

                                   

                                  Raetke

                                  1 2 Previous Next