VMware Horizon Community
twoton
Enthusiast
Enthusiast
‎03-13-2017 12:27 PM

Has Anyone Found a Working Thin/Zero Client for simulataneous CAC pre/in-session use?

I have a couple different devices from Dell, a Wyse 5030 zero client and a Wyse Dx0D, however neither work well for CAC authentication to my View 6.2 server.  I need to find a device that will support CAC authentication to the View connection server, SSO to automatically log the user into their desktop, and then in-session access to the smart card for applications that run.

The 5030 zero client will connect, but I have to turn off the Smart Card login feature on the virtual desktop otherwise the smart card reader is not visible and their is no access to the CAC card.  The problem with that is the user enters their PIN to authenticate to View, and then they land on the Windows desktop login screen with a username/password prompt.  If they disconnect/reconnect the reader, they will be presented with the option to log in using their smart card, but that's really hokey and not a very acceptable solution. 

On the Dx0D thin client, if I try to log in with the CAC, I get an immediate SSL error stating "no cipher match"  That sounds like a familiar problem, however I can't find anywhere to check to see what ciphers it's using, what's available, etc.  Their product support page is terrible, and the only way I can download any updates for the firmware is by buying a service contract.

Does anyone have any experience using a zero/thin client to support CAC authentication in their View environment and if so, have you been able to find any devices that work without having to deal with these issues?  I'm dying to find a viable alternative here.

0 Kudos
4 Replies
cjabates
Contributor
Contributor
‎06-14-2017 07:42 AM

We use Dell/Wyse P25s in a DoD environment as well.  Our servers are 7.1, but we are running agent 6.2.4 in the VDIs.

If you don't have all of your certificate issuers available to the connection servers, you won't be able to use the CACs.  I don't recall what the specific KB article that addresses this is, but I'm sure you can do a quick Google search for 'CAC vmware view' to find it.  the article has a specific section related to DoD CACs.

My agent settings include both USB & SC redirection, without using bridging on the ZC

0 Kudos
DumbUsername
Enthusiast
Enthusiast
‎06-17-2017 01:48 PM

We have used zero clients from several vendors (ClearCube, Wyse, LG) with smartcard login for many years, going back to View 4.x days. We haven't seen any hardware issues. Zero clients just pass the credentials through.

-Horizon/View servers are configured with applicable root/intermediate CAs for user certs on smartcard

-Parent VM has correct/updated middle-ware

-View agent has PCoIP smartcard and USB redirection features installed

-Zero clients have root CAs for View server cert

-Zero clients have the latest available firmware

-Some versions of zero client firmware (Tera1) don't support newer ciphers so we have to allow older ones within Horizon/View agent on parent VM.

-Single sign-on is normally enabled by default on both Horizon/View server and agent. If you get stuck at Windows login screen then maybe single sign-on is not enabled.

I can provide specifics, if needed.

0 Kudos
Techstarts
Expert
Expert
‎01-24-2018 07:19 AM

do we have to install middleware on parent VM? we are running Windows 10. My understanding is middleware is built into Windows 7.x and above. is it correct understanding.

we would like to use Biometric (FingerPrint) on Windows 10 in post-session. I see you below as troubleshooting step is to check if SSO is enabled. I would like to disable SSO, instead allow Finger print to be used for Windows authentication. Is it possible?

With Great Regards,
0 Kudos
DumbUsername
Enthusiast
Enthusiast
‎01-29-2018 08:26 PM

In our environment with our smartcards, we must install middleware on the parent VM.

0 Kudos