Client devices that use a smart card for user authentication must meet certain requirements.
Client Hardware and Software Requirements
Each client device that uses a smart card for user authentication must have the following hardware and software.
- Horizon Client
- A compatible smart card reader
- Smart card reader driver
- Smart card driver
- Product-specific application drivers
Users that authenticate with smart cards must use a supported smart card type with the corresponding middleware, as described in the following section. Each smart card must also contain a user certificate.
Requirements for Smart Card Type and Middleware
Horizon Client supports the following combinations of smart cards and smart card middleware.
| Smart Card Type | Manufacturer | Client-side Middleware | Agent-side Middleware |
|---|---|---|---|
| Personal Identity Verification (PIV) Card |
NIST | OpenSC PKCS11 module | ActivClient 7.x |
| IDprime .NET Card | Gemalto | Gemalto .NET PKCS11 library (libgtop11dotnet.so) |
Gemalto .NET minidriver |
Remote Desktop and Published Application Software Requirements
A Horizon administrator must install product-specific application drivers on the virtual desktops or RDS host.
Enabling the User Name Hint Text Box in Horizon Client
In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they sign in with a smart card.
To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature in Connection Server. For information about enabling the smart card user name hints feature, see the Horizon Administration document.
If your environment uses a Unified Access Gateway appliance for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring VMware Unified Access Gateway document.
Horizon Client continues to support single-account smart card certificates even when the smart card user name hints feature is enabled.
Additional Smart Card Authentication Requirements
In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.
- Connection Server and security server hosts
-
An administrator must add all applicable Certificate Authority (CA) certificate chains for all trusted user certificates to a server truststore file on the Connection Server host or, if a security server is used, on the security server host. These certificate chains include root certificates and, if an intermediate certificate authority issues the user's smart card certificate, must also include intermediate certificates.
For information about configuring Connection Server to support smart card use, see the Horizon Administration document.
- Unified Access Gateway appliances
- For information about configuring smart card authentication on a Unified Access Gateway appliance, see the Deploying and Configuring VMware Unified Access Gateway document.
- Active Directory
- For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the Horizon Administration document.
