Client systems that use a smart card for user authentication must meet certain requirements.

Client Hardware and Software Requirements

Each client system that uses a smart card for user authentication must have the following hardware and software:

  • Horizon Client

  • A compatible smart card reader

    Horizon Client supports smart cards and smart card readers that use a PKCS#11 or Microsoft CryptoAPI provider. You can optionally install the ActivIdentity ActivClient software suite, which provides tools for interacting with smart cards.

  • Product-specific application drivers

Users that authenticate with smart cards must have a smart card or USB smart card token, and each smart card must contain a user certificate.

Smart Card Enrollment Requirements

To install certificates on a smart card, an administrator must set up a computer to act as an enrollment station. This computer must have the authority to issue smart card certificates for users, and it must be a member of the domain you are issuing certificates for.

When you enroll a smart card, you can choose the key size of the resulting certificate. To use smart cards with local desktops, you must select a 1024-bit or 2048-bit key size during smart card enrollment. Certificates with 512-bit keys are not supported.

The Microsoft TechNet website includes detailed information about planning and implementing smart card authentication for Windows systems.

Remote Desktop and Application Software Requirements

A Horizon administrator must install product-specific application drivers on the remote desktops or RDS host.

Enabling the Username Hint Field in Horizon Client

In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint field during smart card sign-in.

To make the Username hint field appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature for the Connection Server instance in Horizon Administrator. The smart card user name hints feature is supported only with Horizon 7 version 7.0.2 and later servers and agents. For information about enabling the smart card user name hints feature, see the View Administration document.

If your environment uses an Unified Access Gateway appliance rather than a security server for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring Unified Access Gateway document.

Note:

Horizon Client still supports single-account smart card certificates when the smart card user name hints feature is enabled.

Additional Smart Card Authentication Requirements

In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.

Connection Server and security server hosts

An administrator must add all applicable Certificate Authority (CA) certificates for all trusted user certificates to a server truststore file on the Connection Server host or security server host. These certificates include root certificates and must include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

For information about configuring Connection Server to support smart card use, see the View Administration document.

Active Directory

For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the View Administration document.