After you set up smart card authentication for the first time, or when smart card authentication is not working correctly, you should verify your smart card authentication configuration.

Procedure

  • Verify that each client system has smart card middleware, a smart card with a valid certificate, and a smart card reader. For end users, verify that they have Horizon Client.

    See the documentation provided by your smart card vendor for information on configuring smart card software and hardware.

  • On each client system, select Start > Settings > Control Panel > Internet Options > Content > Certificates > Personal to verify that certificates are available for smart card authentication.

    When a user or administrator inserts a smart card into the smart card reader, Windows copies certificates from the smart card to the user's computer. Applications on the client system, including Horizon Client, can use these certificates.

  • In the locked.properties file on the View Connection Server or security server host, verify that the useCertAuth property is set to true and is spelled correctly.

    The locked.properties file is located in install_directory\VMware\VMware View\Server\sslgateway\conf. The useCertAuth property is commonly misspelled as userCertAuth.

  • If you configured smart card authentication on a View Connection Server instance, check the smart card authentication setting in View Administrator.
    1. Select View Configuration > Servers.
    2. On the Connection Servers tab, select the View Connection Server instance and click Edit.
    3. If you configured smart card authentication for users, on the Authentication tab, verify that Smart card authentication for users is set to either Optional or Required.
    4. If you configured smart card authentication for administrators, on the Authentication tab, verify that Smart card authentication for administrators is set to either Optional or Required.

    You must restart the View Connection Server service for changes to smart card settings to take effect.

  • If the domain a smart card user resides in is different from the domain your root certificate was issued from, verify that the user’s UPN is set to the SAN contained in the root certificate of the trusted CA.
    1. Find the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
    2. On your Active Directory server, select Start > Administrative Tools > Active Directory Users and Computers.
    3. Right-click the user in the Users folder and select Properties.

    The UPN appears in the User logon name text boxes on the Account tab.

  • If smart card users use the PCoIP protocol to connect to single-session desktops, verify that the View Agent PCoIP Smartcard feature is installed on the single-user machines. The PCoIP Smartcard feature lets users log in to single-session desktops with smart cards using the PCoIP protocol. RDS hosts, which have the Remote Desktop Services role installed, support the PCoIP Smartcard feature automatically and you do not need to install the feature.
  • Check the log files in drive:\Documents and Settings\All Users\Application Data\VMware\VDM\logs on the View Connection Server or security server host for messages stating that smart card authentication is enabled.