Client devices that use a smart card for user authentication must meet certain requirements.

Client Hardware and Software Requirements

Smart card authentication is supported only on Android devices. It is not supported on Chromebook devices. Use an Android 5.0 or later operating system. The CPU architecture can be ARM or x86.

Each client device that uses a smart card for user authentication must have the following hardware and software.

  • Horizon Client

  • A compatible smart card reader

    VMware tested the baiMobile 3000MP Bluetooth Smart Card, baiMobile 301MP USB Smart Card, and baiMobile 301MP_LT Smart Card readers.

  • Smart card middleware

    The Android device app must support the baiMobile smart card reader. One such app is baiMobile PCSC-Lite (Android device tile name baiMobile PC/SC). Horizon Client for Android contains support for both the baiMobile 3000MP Bluetooth and baiMobile 301MP USB smart card readers. Without such an app, you can pair the Bluetooth card reader with the Android device, but you cannot connect it. The app sends a connection request to the reader and you tap the OK button on the reader to establish the Bluetooth connection.

  • Product-specific application drivers

Users that authenticate with smart cards must have a smart card and each smart card must contain a user certificate.

Remote Desktop and Published Application Software Requirements

A Horizon administrator must install product-specific application drivers on the virtual desktops or RDS host. VMware tested the ActiveClient6.2.0.50, ActivClient_7.0.1, Gemalto.MiniDriver.NET.inf, and Charismathics CSTC PIV 5.2.2 drivers.

Enabling the User Name Hint Text Box in Horizon Client

In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they sign in with a smart card.

To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature in Connection Server. The smart card user name hints feature is supported only with Horizon 7 version 7.0.2 and later servers and agents. For information about enabling the smart card user name hints feature, see the Horizon 7 Administration document.

If your environment uses a Unified Access Gateway appliance rather than a security server for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring Unified Access Gateway document.

Horizon Client continues to support single-account smart card certificates even when the smart card user name hints feature is enabled.

Additional Smart Card Authentication Requirements

In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.

Connection Server and security server hosts

An administrator must add all applicable Certificate Authority (CA) certificates for all trusted user certificates to a server truststore file on the Connection Server or security server host. These certificates include root certificates and, if an intermediate certificate authority issues the user's smart card certificate, must also include intermediate certificates.

For information about configuring Connection Server to support smart card use, see the Horizon 7 Administration document.

Active Directory

For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the Horizon 7 Administration document.