Is there a way that I can use the VDI technology, and have my users authenticate with a smartcart/proximity device? The second part is that if the user removes the card will it end his session? Also, if the user goes to another thin client that has the vdi software installed will he be able to resume his session? We are currently running an MS 2003 domain for domain authentication and using Novell for our directory service. I would like to have work with both, but will settle for just the authentication.
Currently smart cards only auth to the desktop not VDM. Users need to auth to VDM first then SC pass-thru will authenticate to the desktop.
When moving from one device to anohter the user will need to re-authenticate to VDM from the new device.
AD is a required component of VDM. You could us you e-directory if you deploy AD and use a IDM solution to sync.
WP
Sorry, i might be missing something here, wponder. your first sentence suggests that you can not use a smart card to authenticate to VDM.
yet your second sentence seems to indicate that if i was to authenticate to VDM with a smart card that these credentials will then be used to also authenticate to the desktop.
or is your second sentence suggesting you would have to authenticate twice, once to VDM and then again to the desktop?
apologies new to vdi/vdm and trying to get my head around it.
No worries. Today the following happens.
1. User walks up to a thin client or fat client running the VDM client
2. A username password prompt is presented. The user enters their credentials. This is the login for VDM, not the virtual desktop. If SSO is enabled when the desired desktop or default desktop connection is initiated the username password is passed to the desktop and the user is connected, not requiring a second login.
With Smart Cards
1. User walks up to a thin client or fat client running the VDM client
2. A username password prompt is presented. The user enters their smart card, nothing happens. The user then enters their username password. This is the login for VDM, not the virtual desktop. With SSO disabled when the desired desktop or default desktop connection is initiated, Smart Card auth is started, depending on the configuration of the card management system they might need to enter a PIN or the card with handle the authentication and the user is connected, not requiring a second login.
With Smart Card support for VDM the user would not need to enter a username and password for VDM. They simply would insert their card and it would handle the authentication to the broker.
Hope that helps.
WP
The lack of the smartcard authentication piece was one of the reasons we stopped looking at VDM as a connection Broker. We turned to Leostream and although they had this with IGEL it still was not what we were looking for. We are using the the WYSE V10L with WTOS. We worked closely with both of them and got the smartcard support we were looking for. Essentially here's how it works:
User inserts their smartcard to thin client or smartcard reader device
WTOS would pass on the necessary credential/authentication field information over to the Connection Broker (Leostream)
Leostream takes that information and authenticates/validates the user against a directory service (in our case AD)
Everything good -user gets their desktop
Now you can configure various policies for smartcard behavior on the domain - what happens when a user removes their smartcard- lock the desktop, screen saver etc etc. This is done at GPO level on the domain. With Novell I'm not sure where you would do that. U could configure a local machine policy on your templates that way the settings you want are already there.
The basic functionality though is still there regardless of if you use GPOs or not. If you disconnect from one thin client and go to another in another room with/without your smartcard, the RDP session follows you.
Personally I was disappointed with the first look at VDM and there still are some basic features/functionality that still is not there. Leostream was willing and able to customize this for us and have actually included this feature now as part of their suite so it's available for everyone.
Let me know if this answers your question and award points if so
Thanks for confirming what I was afraid of OM4EVER. That really blows that VDM cant support smartcard logon. Too bad becasue I cant imagine it would take a lot for them to make it possible. Guess we cant go with the solution I was trying to put together with VMware (developers: hint hint)...
Do you know if HP's SAM connection broker can support smart card authentication like Leostream ?
Here is one of the ways SmartCard Authentication can be used with VDI:
Patrick Rouse
Microsoft MVP - Terminal Server
Sr. Sales Engineer, Western USA & Canada
Quest Software, Provision Networks Division
Virtual Client Solutions
(619) 994-5507
I have the exact situation: Wyse V10L (WTOS), VDI back end and smart card. I'll do some more research to see if there is a VDI based smart card solution out there; else I will go with Leostream.
I just tested two HP thin clients, HP has a long way to go. There clienst are still bulky and slow. I prefer Wyse (much lighter, and WTOS 6.x is quite fast).
Here's my solution is looking so far:
- Thin Client - Wyse V10L WTOS
- Backend -ESX 3.5, Virtual Center
- Connection Broker: Leaostream
- Smart Card - pki based smart card AET
Hope all these different pieces plays out nicely with each other.
That's pretty much the same setup we have. Now there's a huge caveat. Thanks to our requirements we were able to get Leostream and Wyse to work together and actually make changes to their code and firmware so that Wyse could "read" the card and pass over the UPN information to Leostream. That works now without any issues. You should be fine. The problem is when you attempt to use browser based authentication with Leostream without Wyse in the picture - say if you have remote users in the mix.We're still working with getting this solution up. Once that's done we should be golden. Also, Leostream is releasin a Client that you could put on a Laptop or PC that would also read the smartcards and perform the same function as Wyse does on their thin clients. BTW how big an infrastructure are you looking at?
Om4ever,
Thanks for your post. Initially I just want to roll it out for our nursing station - 50 stations. If it is success, then, I will push for hospital wide deployment.
Thanks,
Meraz Nasir
Hi,
Do you have the step-by-step on how to configure leostream with wyse S10 WTOS and smart card authentication??
Regards,
No, not yet. But I am planningt to write it once I have completed the deployment.
If you're using the V10L with rev 6.1.0_22 then the smartcard authentication piece should already be part of it. In reality Leostream isn't doing much since it actually is Wyse that's doing the work (reading off the username field) and passing it off to Leostream. All you have to do from the Leostream side is make sure that under your authentication servers and if using AD you choose the appropriate option to match the login name (options can be email, samaccount, CN or UPN) Note that in certs, the only things that are not encrypted would be the UPN or email as far as I know to identify the user. We had to get Leostream and Wyse to do this for us and they have now adopted this as a standard in the builds/solutions/implementations they release to the public at large. In our case we're using the UPN. Let me know if you need more help
OM4EVER
Here's what I am using on my test setup:
Wyse V10L with integrated smartcard reader, running 6.2.0_08 code
Linux ftp server to publish wnos.ini file and any future wyse code upgrade
Linux RedHat NTP server, since wyse requires it.
All the custom wyse DHCP options.
Virtual Center 2.5U2 and ESX 3.5Up2
VM Running xp Pro SP 3, with Leostream agent installed but NO wyse agent
Leostream Virtual Appliance running 5.1.9
CA - Windows 2003 Ent, Microsoft native
Smartcard: SageSign
Issues:
Can we eliminate entering PIN code at the login prompt on wyse clients?
How to handle password reset @ first logon.
Is it cost efefctive if we need to buy support from all these diffrenet vendors?