With the client device certificate authentication feature, you can set up certificate authentication for client devices. Unified Access Gateway authenticates the client devices. Microsoft Certificate Services, with Active Directory, manages the creation and distribution of certificates to the client devices. After successful device authentication, the user must still perform user authentication.
This feature has the following requirements.
- Unified Access Gateway 2.6 or later
- Horizon 7 version 7.5 or later
- A certificate installed on the client device that Unified Access Gateway accepts
For information about configuring Unified Access Gateway, see the Unified Access Gateway documentation.
For the Cryptographic Service Provider (CSP) specified in the certificate issuing template, use the Microsoft Enhanced RSA and AES Cryptographic Provider. This CSP supports SHA-256 certificates and TLS v1.2. Use SHA-256. SHA-1 is too weak for authentication purposes.
For Windows to use a certificate for client device authentication, the user on the client device must have read access to the certificate private key. The private key does not need to be exportable. The Key Usage of the certificate must include Digital Signature and Key Encipherment (a0).
You can install the certificate in the Current User or Local Computer certificate store on the client device. On Windows 10, if you install the certificate in the Local Computer certificate store, and the user does not belong to the SYSTEM or Local Administrators user group, you must perform the following steps to give the user read access to the certificate private key. If you install the certificate in the Current User certificate store, you do not need to perform these steps.
- Open the Local Computer certificate store on the client device.
- Right-click the device certificate and select .
- Add the user, assign Read permission to the user, and click OK.