VMware Horizon Community
Najtsob
Enthusiast
Enthusiast
‎01-15-2020 06:45 AM

Logging In with a Smart Card - works from Windows but not from PCoIP zero clients

Horizon 7.10, single connection server, full VMs with Windows 10 64bit build 1903.

Horizon agent is installed with PCoIP smart card redirection feture and without USB redirection.

When connecting from laptops installed with various versions of Windows 10, the smart card login works as it should.

You select connection server, enter PIN and you get connected and logged into your Windows desktop.

C:\Users\test.one>certutil -scinfo

The Microsoft Smart Card Resource Manager is running.

Current reader/card status:

Readers: 1

  0: Gemalto USB SmartCard Reader 0

--- Reader: Gemalto USB SmartCard Reader 0

--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED

--- Status: The card is available for use.

---   Card: IDPrime MD T=0

---    ATR:

        3b 7f 96 00 00 80 31 80  65 b0 85 03 00 ef 12 0f   ;.....1.e.......

        fe 82 90 00                                        ....

=======================================================

Analyzing card in reader: Gemalto USB SmartCard Reader 0

--------------===========================--------------

================ Certificate 0 ================

--- Reader: Gemalto USB SmartCard Reader 0

---   Card: IDPrime MD T=0

Provider = Microsoft Base Smart Card Crypto Provider

Key Container = te-b2f6aac3-2a61-4c6e-8b81-fbcaf5ca6fc8

... snip...

Done.

CertUtil: -SCInfo command completed successfully.

When connecting from Zero clients (terra 2), to the same desktops using same smartcard reader and card, initially looks like it would work.

When you insert smart card into the reader, the client starts automatically connecting to the server and prompts for PIN. Once you enter the PIN you get to select the pool and after you click connect you land on to the windows login screen, where you must enter password.

So basically looks like smart card checks up against connection server since you are connected without asking for username and password, but then windows don't see the smart card to perform loging into the desktop.

C:\Users\test.one>certutil -scinfo

The Microsoft Smart Card Resource Manager is not running.

WaitForSingleObject: Service is in an unknown state.

CertUtil: -SCInfo command FAILED: 0x80070102 (WIN32/HTTP: 258 WAIT_TIMEOUT)

CertUtil: The wait operation timed out.

In both cases the certificates are visible in MMC certificates snappin nad can be used in web applications.

Any idea why wouldn't smart card authentication worked from zero clients ? Redirection seems to work since certificates are visible in session and can be used, but then again certutil errors out in case of zero clients.

Thanks

Reply
0 Kudos
3 Replies
Najtsob
Enthusiast
Enthusiast
‎01-20-2020 06:24 AM

Does nobody uses smart cards for loggin into the desktops ?

I found this link: Teradici Technical Support
Where it states that you need to have PCoIP smart card redirection and USB redirection components installed, but this way still doesn't work and VMware doesn't state anywhere in the documentation what components do you need to have installed in Horizon Agent.

Any VMware documentation regarding certificates is half backed and quite useless :smileyangry:

Reply
0 Kudos
thomasskinner
Contributor
Contributor
‎09-10-2020 10:44 AM

Did you ever figure out this issue? We're having the same thing happen on Windows 10 1909. An uninstall and reinstall of the agent does not help either. We also have both USB redirection and smartcard redirection installed.

Reply
0 Kudos
iSeb2
Contributor
Contributor
‎10-14-2020 04:09 AM

We got the same issue, Horizon 2006, Windows LTSR 2019 VDIs, Teradici Zero clients. we're still looking for a solution, do you have any updates?

Reply
0 Kudos