You can use Horizon Administrator to specify settings to accommodate different smart card authentication scenarios.

When you configure these settings on a Connection Server instance, the settings are also applied to paired security servers.

Prerequisites

  • Modify Connection Server configuration properties on your Connection Server host.

  • Verify that Horizon clients make HTTPS connections directly to your Connection Server or security server host. Smart card authentication is not supported if you off-load TLS to an intermediate device.

Procedure

  1. In Horizon Administrator, select View Configuration > Servers.
  2. On the Connection Servers tab, select the Connection Server instance and click Edit.
  3. To configure smart card authentication for remote desktop and application users, perform these steps.
    1. On the Authentication tab, select a configuration option from the Smart card authentication for users drop-down menu in the View Authentication section.

      Option

      Action

      Not allowed

      Smart card authentication is disabled on the Connection Server instance.

      Optional

      Users can use smart card authentication or password authentication to connect to the Connection Server instance. If smart card authentication fails, the user must provide a password.

      Required

      Users are required to use smart card authentication when connecting to the Connection Server instance.

      When smart card authentication is required, authentication fails for users who select the Log in as current user check box when they connect to the Connection Server instance. These users must reauthenticate with their smart card and PIN when they log in to Connection Server.

      Note:

      Smart card authentication replaces Windows password authentication only. If SecurID is enabled, users are required to authenticate by using both SecurID and smart card authentication.

    2. Configure the smart card removal policy.

      You cannot configure the smart card removal policy when smart card authentication is set to Not Allowed.

      Option

      Action

      Disconnect users from View Connection Server when they remove their smart cards.

      Select the Disconnect user sessions on smart card removal check box.

      Keep users connected to View Connection Server when they remove their smart cards and let them start new desktop or application sessions without reauthenticating.

      Deselect the Disconnect user sessions on smart card removal check box.

      The smart card removal policy does not apply to users who connect to the Connection Server instance with the Log in as current user check box selected, even if they log in to their client system with a smart card.

    3. Configure the smart card user name hints feature.

      You cannot configure the smart card user name hints feature when smart card authentication is set to Not Allowed.

      Option

      Action

      Enable users to use a single smart card certificate to authenticate to multiple user accounts.

      Select the Allow smart card user name hints check box.

      Disable users from using a single smart card certificate to authenticate to multiple user accounts.

      Deselect the Allow smart card user name hints check box.

  4. To configure smart card authentication for administrators logging in to Horizon Administrator, click the Authentication tab and select a configuration option from the Smart card authentication for administrators drop-down menu in the View Administration Authentication section.

    Option

    Action

    Not allowed

    Smart card authentication is disabled on the Connection Server instance.

    Optional

    Administrators can use smart card authentication or password authentication to log in to Horizon Administrator. If smart card authentication fails, the administrator must provide a password.

    Required

    Administrators are required to use smart card authentication when they log in to Horizon Administrator.

  5. Click OK.
  6. Restart the Connection Server service.

    You must restart the Connection Server service for changes to smart card settings to take effect, with one exception. You can change smart card authentication settings between Optional and Required without having to restart the Connection Server service.

    Currently logged in user and administrators are not affected by changes to smart card settings.

What to do next

Prepare Active Directory for smart card authentication, if required. See Prepare Active Directory for Smart Card Authentication.

Verify your smart card authentication configuration. See Verify Your Smart Card Authentication Configuration.