To use a physical smart card, you must connect and pair the card reader with the device and set the smart card removal policy.

Prerequisites

Verify that the client device, remote desktops, RDS hosts, Connection Server host, and other Horizon components meet the smart card authentication requirements. See Smart Card Authentication Requirements.

Procedure

  1. Install the smart card middleware app on the device.
  2. Pair the device with the smart card reader, according to the documentation provided by the manufacturer of the reader.
    If you use a Bluetooth smart card reader, a randomly generated number appears on both devices during this process. When you confirm that the numbers match, you establish secure Bluetooth communication.
  3. Configure the smart card removal policy.
    Option Description
    Set the policy on the Connection Server instance When you set the policy on the Connection Server instance, you can disconnect users from the Connection Server instance when they remove their smart cards, or keep users connected to Connection Server when they remove their smart cards and allow them to start new remote desktop or published application sessions without having to reauthenticate.
    1. In Horizon Console, select Settings > Servers.
    2. On the Connection Servers tab, select the Connection Server instance and click Edit.
    3. On the Authentication tab, select or deselect the Disconnect user sessions on smart card removal check box to configure the smart card removal policy.
    4. To save the changes, click OK.
    5. To make the changes take effect, restart the Connection Server service.

    If you select the Disconnect user sessions on smart card removal check box, Horizon Client returns to the Recent tab when users remove their smart cards.

    Set the policy on the remote desktop When you set the policy on the remote desktop, you can use the Group Policy Editor (gpedit.msc) to configure one of the following settings: no action, lock workstation, force log off, or Disconnect if a Remote Desktop Services session.
    1. Open gpedit.msc in the remote desktop operating system.
    2. Navigate to Windows settings > Security settings > Local policies > Security options > Interactive logon: smart card removal behavior.
    3. Run the gpupdate /force command after you change the configuration to force a group policy refresh.