Client devices that use a smart card for user authentication must meet certain requirements.
Client Hardware and Software Requirements
Each client device that uses a smart card for user authentication must have the following hardware and software.
- Horizon Client
- A compatible smart card reader
Horizon Client supports smart cards and smart card readers that use a PKCS#11 or Microsoft CryptoAPI provider. You can optionally install the ActivIdentity ActivClient software suite, which provides tools for interacting with smart cards.
- Product-specific application drivers
Users that authenticate with smart cards must have a smart card or USB smart card token, and each smart card must contain a user certificate.
Smart Card Enrollment Requirements
To install certificates on a smart card, an administrator must set up a computer to act as an enrollment station. This computer must have the authority to issue smart card certificates for users, and it must be a member of the domain for which you are issuing certificates.
When you enroll a smart card, you can select the key size of the resulting certificate. To use smart cards with local desktops, you must select a 1024-bit or 2048-bit key size when you enroll the smart card. Certificates that have 512-bit keys are not supported.
The Microsoft TechNet website includes detailed information about planning and implementing smart card authentication for Windows systems.
Remote Desktop and Published Application Software Requirements
A Horizon administrator must install product-specific application drivers on the virtual desktops or RDS host.
Enabling the User Name Hint Text Box in Horizon Client
In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they sign in with a smart card.
To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature in Connection Server. The smart card user name hints feature is supported only with Horizon 7 version 7.0.2 and later servers and agents. For information about enabling the smart card user name hints feature, see the VMware Horizon Console Administration document.
If your environment uses a Unified Access Gateway appliance rather than a security server for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring Unified Access Gateway document.
Horizon Client continues to support single-account smart card certificates even when the smart card user name hints feature is enabled.
Additional Smart Card Authentication Requirements
In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.
- Connection Server and security server hosts
-
An administrator must add all applicable Certificate Authority (CA) certificates for all trusted user certificates to a server truststore file on the Connection Server or security server host. These certificates include root certificates and, if an intermediate certificate authority issues the user's smart card certificate, must also include intermediate certificates.
For information about configuring Connection Server to support smart card use, see the VMware Horizon Console Administration document.
- Active Directory
- For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the VMware Horizon Console Administration document.