hongshengl's Posts

thanks for your clarification and I know your user scenario.   I think there are something special configuration on your igel OS 11 system. Could you please double check the file under the path /usr/lib/vmware/view/pkcs11 and tell me the result? I suspect that maybe you had added some other PKCS11 modules into this path so horizon client will automatically open the smart card login dialog even no physical smart card reader plugin.   thanks,

This is the common/expected behavior that If no smartcard is present when the client/login screen is started, horizon client goes straight to the manual login option. And could you please explain your detail requirement on "Horizon client login screen is waiting at the smartcard login screen, with the secondary option to manually login."? you means horizon client will stack at smart card login dialog and wait for user to insert smart card? I am confused that this scenario that if there always have no smart card, how long horizon client will move to AD login from your testing. It will be appreciated that if you list the detail steps about the user scenario that you tested.

From my local testing on Ubuntu 2004, the same behavior when I use horizon Linux client 2206, 2212 and 2303. If there has no smart card attached and the broker connection server choose "Optional" as Smart card authentication for users type, the AD login page will automatically. There is no difference on user experience on Ubuntu and is there some special settings on you local IGEL machine? Another suggestion is that, if you want user always to use smart card to login, user can choose the "Required" as Smart card authentication for users type in connection server settings.

hi nnelson97, After lock the remote desktop, you can choose the "sign-in options" button and use the smart card login. This is not related with protocol which one you selected and you can use RDP, Blast or PCOIP. Below is my screen record to show how the smart card work under session locked scenario. It should be work for customer. What's your problem in detail? 1. can not see the "sign-in options" button on your login page? or 2. there has a additional other issue shown once you choose to use smart card to unlock it?

you can enable the UseCryptoAPI to use legacy CAPIs by setting the regkey HKLM(HKCU)\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Client\UseCryptoAPI to true (REG_SZ)  then check the status.   Anyway, could you please enable detail log by setting the regkey HKLM\SOFTWARE\VMware, Inc.\VMware VDM\TraceEnabled to true (REG_SZ)  and collect windows client log?

Translate the words from German to English: Windows security smart card Select smart card device Smart card error Microsoft UICC ISO Reader 8ca5e2a2 1 The smart card requires drivers that are not present on this system. Try a different smart card or contact your administrator. The smart card requires drivers that are not present on this system. Try a different smart card or contact your administrator. More options Smart card error Microsoft UICC ISO Reader 8ca5e2a2 1 Personal - Siemens CardOS V4.4 Alcorlink USB Smart Card Reader 0 OK Interrupt This dialog is popup by windows system which required by VMware Horizon product. It looks like the smart card driver is not present for the smart card user selected on the system. Could you please use the certmgr.msc to delete all the local cached personal certificates? Then plugin the reader again and select the right certificate that belongs to the physical card.

hi robin, You mentioned that 1. I can map the smart card in to the VDI 2. can not see any information about the smart card 3. still it can be tunneld/mapped without any issues from the tinnclient in to the VDI. Could you explain it more detail for looks like there is something conflict with the item 2 and item 3? It looks like the smart card redirection do not work at all on your Wyse device. First please make sure your Wyse thinOS can connect to the attached smart card and use the pkcs11-tools to check the content of smart card which used to make sure the client environment is OK. Second please manually install the PKCS11 modules into horizon path by copy the PKCS11 dynamic library into /usr/lib/vmware/view/pkcs11 path.   Third could you please try to use windows horizon client to connect your VDI agent to make sure the VDI agent smart card configuration is OK.   After you are sure the client env and Agent(DVI) env are both OK, you can use the horizon client to redirect the local smart card to the remote VDI agent.   BRs, hongsheng

Thanks for your clarification and the HP thinpro 7.2 is a kind of lightweight, high secure Linux-based OS which can keep your workforce safe and efficient. You mentioned that there has a "Security module option", does it mean the Preference settings under "File" table button of Horizon VIew Client or something else? If possible, could you please add a screenshot to indicate what's the "Security module option"?

hi IT_Men, Could you please tell me the installed OS on your HP t640? It looks like you want to use "predefined smart card" to do authentication work, which means the local device certificates installed on your System. am I right? Could you please also share the screen shot/record of when the unexpected dialog popup? thanks.

You mentioned that: "I use another computer the login works fine",  could you please tell me the kind of OS on the another computer?   We already noticed a similar issue that certificate mapping is not correct on PIV smartcard which can works well on Windows platform but failed at MAC OS.  

Please try the below command and check whether any smart card setting is set on your env. #defaults read /Library/Preferences/com.apple.security.smartcard   By the way you can also try to use below command can display available smartcards on your Mac: #security list-smartcards   About the certificate mapping status of your smartcard, maybe you should consult with the card provider or the person who flash the certificates into the physical smartcard. There has a reference about how to mapping the certs into PIV card: https://pivkey.zendesk.com/hc/en-us/articles/115000506843-Mapping-a-PIV-Certificate-using-an-OID

From your log, it seems that there are no valid login certificates from MAC CTK service. Could you please execute command to show the smart card mapping status on your MAC OS: #sc_auth identities If all the certificates can be recognized correctly, it can show below results: SmartCard: com.apple.pivtoken:00000000000000000000000000000000 Unpaired identities: 088247DB83C93BA7F970CB742F6E135DD6EEE638 Certificate For Card Authentication (Test Agency, Test Department) 56FD4DE755D04C368B809128F9D4EE5482BDE0EB Certificate For Digital Signature (Test Cardholder) AEAEED0DFBB928D3C8975ECD67557E9BA8EB1FD9 Certificate For PIV Authentication (Test Cardholder) Otherwise, please check the certificates mapping status on your smart card.