VMware Horizon Community
ap_idb
Enthusiast
Enthusiast

Smart Card drivers and App Volumes

Hello all,

I have an web-app which requires a smart card to authenticate. I've read in various blog posts that this is doable, so I'm trying to do it. The OS Sees the Smart Card via Device Manager, and if I run "certutil -scinfo" I get the cert info, and it even prompts me for the PIN through the middleware client. However, the middleware client is not seeing the card and showing errors as if the card was removed. My guess is possible the mount-point is throwing off the apps search for the card. Anyone have experience with this? I don't want to last-resort install this to a gold image...

INFO:

Card Reader - Gemalto CT30

Thin Client - HP T530 running ThinPro 7 (includes ccid driver for the reader)

Horizon 7.7

Windows 10 x 1803

App Volumes 2.16

Package includes:     Nexus Personal, Euclid WebClient, Gemalto Safenet Authentication Client (all of this is included in the package provide by Euclid Webclient

Tags (1)
Reply
0 Kudos
16 Replies
cliffvmwareeuc
VMware Employee
VMware Employee

So are you saying that you have the SC driver installed in an appstack and its not working?

Reply
0 Kudos
ap_idb
Enthusiast
Enthusiast

I have the SC Driver installed, correct.

It works if: I redirect the smartcard. I run "certutil -scinfo", and I define works as in the certificates on the card are seen. In this case, The middleware application does not see the card and I get an error as if the card is missing. I've not seen any discussion about smart cards on App Volumes here, but I have seen some bloggers (Age Roskam comes to mind) that state it's doable.

Reply
0 Kudos
cliffvmwareeuc
VMware Employee
VMware Employee

It may be possible to put "certutil -scinfo" in a batch file....most likely a batch file thats run on logon such as logon.bat or logon_postsvc.bat

Check out the documentation for which script would best suit the driver and you can set these by attaching a volume to a VM without the Agent installed.

Reply
0 Kudos
ap_idb
Enthusiast
Enthusiast

Not fully understanding so don't mind my question - Are you saying that because you believe running that at logon has any impact?

Reply
0 Kudos
cliffvmwareeuc
VMware Employee
VMware Employee

Sorry i was wrong there...

They are used to login to the actual application

Running the command you provided allows the smart card to work....so do you need to run the command everytime the user wishes to use the application?

Reply
0 Kudos
ap_idb
Enthusiast
Enthusiast

No, I run that command to confirm I can see the smart card, it's a built in windows command, basically certutil smart card info

Reply
0 Kudos
cliffvmwareeuc
VMware Employee
VMware Employee

Ok, its interesting. Can you open a case for this.

Reply
0 Kudos
ap_idb
Enthusiast
Enthusiast

Will do.

Reply
0 Kudos
Ray_handels
Virtuoso
Virtuoso

I don't think smart card will work if you add the driver into an appstack. The thing is that the driver is being added during logon and the service for it already runs during startup so even though the smartcard is being redirected succesfully it cannot use the driver.

If you look at a printer for example you can add a print driver into an appstack but it will only work after restarting the print spooler service. You might wanna try and restart the smartcard service after logon, it might be able to initialize the driver after that.

We had somewhat of the same issue with specific mouses with their own driver. We needed to add those drivers to the Golden Image for it to work.

hschimpf
Enthusiast
Enthusiast

Hi,

so we had similar issues where the SC was seen in Windows but unable to be used. We did the following to get it to work.

First we need to forward the SC using Vendor and Product IDs on our Zero Clients (DELL WYSE w Teradici). After Bridging the SC it started showing in Windows.

The drivers in Windows are taken from Windows itself so we didn't use any special drivers. The Middleware is inside an AppStack but didn't recognize the SC after USB Bridging.

In our Environment we use a Proxy to prevent Systems from randomly Accessing the Internet. After a lot of troubleshooting we found that the Gemalto SC Stick needs to send telemetry to Microsoft before starting to work. Unfortunately this doesn't work via the User proxy but has to be done using the NetShell proxy. So after adding the NetShell proxy to the golden image, we got it to work.

The last thing we found during this troubleshooting was that if you enable SC redirect in the Horizon agent, it stopped working again. So for us we needed to reinstall the agent without SC redirection enabled and it started working again.

This solution has worked for different types of SC sticks, readers and pin pads. One is used for Web Authentication as well and it's working with this solution. None of the respective components are installed in the golden image. All software needed for the individual SC comes from AppStack.

Hope this helps shine a light and maybe gives you an idea what else you can try.

Best regards,

Raetke

ap_idb
Enthusiast
Enthusiast

Appreciate the feedback. SmartCard redirection is in fact enabled on my agent. In fact, Windows sees the smart card ONLY when I have it enabled and bridged from my HP ThinPro thin client. Running certutil -scinfo shows that windows OS can interact with the card, and in fact I get a prompt from our middleware (Nexus Personal) to input the pin. But the middleware itself...doesn't see any smartcard device.

If I do USB-Redirection, middleware sees the smart-card but Windows does not. Frustrating...

I may need to test this out in a test pool after my next image update, but I appreciate the feedback. It's unfortunate, as I have a large group of users that rely on smart-card authentications.

Reply
0 Kudos
hschimpf
Enthusiast
Enthusiast

It might indeed be worth to test if having the drivers in the master image. Then again we never used any special drivers, just the default ones provided by Windows/VMware tools.

Just for my understanding, if you disable the redirection in the Horizon agent, you can see the SC in your Middleware and it is usable?

Best regards,

Raetke

Reply
0 Kudos
ap_idb
Enthusiast
Enthusiast

I tried your suggestion regarding winhttp proxy, and I have it set correctly but also bypassing localhost. Unfortunately it still has issues, the token middleware shows the same error 10022 about token not found when I try to access their site.A headache, I'm sure I'm doing this correctly but it just won't work. May I ask if Nexus Personal is a middleware you've tried with?

Reply
0 Kudos
hschimpf
Enthusiast
Enthusiast

Very very strange. We've been using LuxTrust Middleware, Barclaycard online login and Datev which all started working after what I've described. Have you tried installing everything into the master image and using that in a test pool? There may be steps the software does which aren't captured by AppVolumes or are excluded in the snapvol.cfg.

Best Regards,

Raetke

Reply
0 Kudos
ap_idb
Enthusiast
Enthusiast

Yeah, the gold image was not successful either. I always assume I'm in the wrong, so I'm going to look at this again.

You mentioned you do USB Redirection, but not SmartCard redirection? Any reason why?

Reply
0 Kudos
hschimpf
Enthusiast
Enthusiast

There's still the possibility that for whatever reason the SC you are using or the Zero clients are unable to work in this fashion. So it's not necessarily your fault so to say.

I'm not 100% sure why, but when I had SC redirection enabled, it stopped working. My best guess is that the reason is that we bridge the SC devices. This however is necessary from what I've read, at least for Teradici clients.

Have you had this working in any constellation you've tried so far? Maybe a full clone of your GM?

Best regards,

Raetke

Reply
0 Kudos