Client devices that use a smart card for user authentication must meet certain requirements.

Client Hardware and Software Requirements

Each client machine that uses a smart card for user authentication must have the following hardware and software.

  • Horizon Client
  • A compatible smart card reader
  • Product-specific application drivers

Users must have a smart card, and each smart card must contain a user certificate. The following smart cards are supported.

  • U.S. Department of Defense Common Access Card (CAC)
  • U.S. Federal Government Personal Identity Verification (PIV) card (also called FIPS-201 smart cards)
  • Gemalto .NET card
  • Gemalto IDPrime MD card

For CAC and PIV cards, Horizon Client uses the CryptoTokenKit smart card driver by default and you do not need to install any middleware.

For Gemalto .NET cards, install the correct SafeNet Authentication Client version for your macOS version. Gemalto SafeNet Authentication Client supports both CryptoTokenKit and TokenD smart card drivers for Gemalto .NET smart cards.

You can also use the following third-party smart card drivers with CAC and PIV cards.

  • PKard for Mac v1.7 and v1.7.1
  • Charismathics (CCSI_5.0.3_PIV)
  • Centrify Express

To use a third-party smart card driver, you must disable the CryptoTokenKit smart card driver. For more information, see Disabling the CryptoTokenKit Smart Card Driver.

Agent Software Requirements

A Horizon administrator must install product-specific application drivers on the agent machine.

With PIV cards, the operating system installs the related driver when you insert a smart card reader and PIV card for a Windows 7 virtual desktop. The following agent drivers are supported for PIV cards for Windows 7 virtual desktops.

  • Charismathics (CSTC PIV 5.2.2)
  • Microsoft minidriver
  • ActivClient 6.x

The following agent drivers are supported for PIV cards for Windows 10 virtual desktops.

  • Charismathics (CSTC PIV 5.2.2)
  • ActivClient 7.x

For Gemalto .NET cards, the Gemalto Minidriver for .NET Smart Card driver is supported.

Enabling the Username Hint Field in Horizon Client

In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they use a smart card to authenticate.

To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature for the Connection Server instance in Horizon Console. The smart card user name hints feature is supported only with Horizon 7 version 7.0.2 and later servers and agents. For information about enabling the smart card user name hints feature, see the VMware Horizon Console Administration document.

If your environment uses a Unified Access Gateway appliance rather than a security server for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring Unified Access Gateway document.

Note: Horizon Client supports single-account smart card certificates, even when the smart card user name hints feature is enabled.

Additional Smart Card Authentication Requirements

In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.

Connection Server and security server hosts
A Horizon administrator must add all applicable Certificate Authority (CA) certificates for all trusted user certificates to a server truststore file on the Connection Server host or security server host. These certificates include root certificates and must include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

When you generate a certificate for a blank PIV card, enter the path to the server truststore file on the Connection Server or security server host on the Crypto Provider tab in the PIV Data Generator tool.

For information about configuring Connection Server to support smart card use, see the VMware Horizon Console Administration document.

Active Directory
For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the VMware Horizon Console Administration document.