With the client device certificate authentication feature, you can set up certificate authentication for client devices. Unified Access Gateway authenticates the client devices. Microsoft Certificate Services, with Active Directory, manages the creation and distribution of certificates to the client devices. After successful device authentication, the user must still perform user authentication.
This feature has the following requirements.
- Unified Access Gateway 2.6 or later
- Horizon 7 version 7.5 or later
- A certificate installed on the client device that Unified Access Gateway accepts
For information about configuring Unified Access Gateway, see the Unified Access Gateway documentation.
Before issuing a certificate, you must create the certificate template. You must select either Key Storage Provider or Legacy Cryptographic Service Provider.
To create a KSP certificate template, select Windows Server 2008 or later for the Certification Authority on the Compatibility tab and select Key Storage Provider on the Cryptography tab.
If you are using a KSP certificate template to issue the certificate, select Microsoft Software Key Storage Provider or a third-party smart card KSP that supports RSA with SHA-256 algorithms. If you are using a legacy CSP certificate template, select Microsoft Enhanced RSA and AES Cryptographic Provider, which supports RSA with SHA-256 algorithms and TLS1.2.
For a list of CryptoAPI cryptographic service providers, go to https://docs.microsoft.com/en-us/windows/win32/seccertenroll/cryptoapi-cryptographic-service-providers.