When smart card redirection is enabled on a remote desktop, a user can authenticate into the desktop using a smart card reader connected to the client system. To set up smart card redirection, you must perform some configuration steps.

Overview of Smart Card Redirection

Smart card redirection is supported on desktops running the following Linux distributions with the specified versions of Horizon Agent installed.

Table 1. System Requirements for Smart Card Redirection
Linux Distribution Horizon Agent
RHEL 8.1 Horizon Agent 7.12 or later
RHEL 8.0 Horizon Agent 7.10 or later
RHEL 7.1 or later Horizon Agent 7.8 or later
RHEL 6.6 or later Horizon Agent 6.2.1 or later
Ubuntu 20.04/18.04/16.04 Horizon Agent 7.9 or later
SLED/SLES 12.x SP3 Horizon Agent 7.9 or later

When you install Horizon Agent, you must first disable SELinux. You must also specifically select the smart card redirection component because the component is not selected by default. For more information, see install_viewagent.sh Command-Line Options.

If the smart card redirection feature is enabled on a virtual machine, vSphere Client's USB redirection does not work with the smart card.

Smart card redirection supports only one smart card reader at a time. This feature does not work if two or more readers are connected to the client system.

Smart card redirection supports only one certificate on the card. If more than one certificate is on the card, the one in the first slot is used and the others are ignored. This behavior is a Linux limitation.

Note: Smart card redirection supports PIV cards on Linux desktops. When you use Horizon Client for Linux to authenticate the broker with a PIV card, you must configure the PIV smart card with TLSv1.2 support to avoid receiving an SSL error. Use the solution described in VMWare Knowledge Base article http://kb.vmware.com/kb/2150470.
Note: Smartcard SSO is enabled in Horizon 7 version 7.0.1 or later. RHEL 6.x desktops support Smartcard SSO, but RHEL 7.x and RHEL 8.x desktops do not support the feature.

Configuring Smart Card Redirection

To configure smart card redirection, perform the following tasks.

  1. Set up the smart card for your desktop by following the instructions from the Linux distributor and from the smart card vendor.
  2. Integrate your desktop with an Active Directory domain, following the procedure for your Linux distribution.
  3. Configure smart card redirection on your desktop, following the procedure for your Linux distribution.