Client devices that use a smart card for user authentication must meet certain requirements.
Using the Derived Credentials Feature
To use the derived credentials feature, a Horizon administrator must install smart card middleware on the virtual desktops or RDS host that hosts published desktops. No other middleware for PIV cards must be installed on the same virtual desktops or RDS host. VMware has tested Charismathics CSSI/CSTC 5.2.2 and ActivClient 7.1. The Windows Inbox Smart Card Minidriver is not supported.
On the client device, you must use the Purebred app to create a derived credential and provision the credential to the client device, create a virtual smart card, and pair the virtual smart card with the smart card middleware installed on the remote desktop. For information, see Create a Virtual Smart Card and Pair a Virtual Smart Card with Smart Card Middleware.
Enabling the User Name Hint Text Box in Horizon Client
In some environments, smart card users can use a single smart card certificate to authenticate to multiple user accounts. Users enter their user name in the Username hint text box when they sign in with a smart card.
To make the Username hint text box appear on the Horizon Client login dialog box, you must enable the smart card user name hints feature in Connection Server. For information about enabling the smart card user name hints feature, see the Horizon Administration document.
If your environment uses a Unified Access Gateway appliance for secure external access, you must configure the Unified Access Gateway appliance to support the smart card user name hints feature. The smart card user name hints feature is supported only with Unified Access Gateway 2.7.2 and later. For information about enabling the smart card user name hints feature in Unified Access Gateway, see the Deploying and Configuring VMware Unified Access Gateway document.
Horizon Client continues to support single-account smart card certificates even when the smart card user name hints feature is enabled.
Additional Smart Card Authentication Requirements
In addition to meeting the smart card requirements for Horizon Client systems, other Horizon components must meet certain configuration requirements to support smart cards.
- Connection Server and security server hosts
-
An administrator must add all applicable Certificate Authority (CA) certificate chains for all trusted user certificates to a server truststore file on the Connection Server host or, if a security server is used, on the security server host. These certificate chains include root certificates and, if an intermediate certificate authority issues the user's smart card certificate, must also include intermediate certificates.
For information about configuring Connection Server to support smart card use, see the Horizon Administration document.
- Unified Access Gateway appliances
- For information about configuring smart card authentication on a Unified Access Gateway appliance, see the Deploying and Configuring VMware Unified Access Gateway document.
- Active Directory
- For information about tasks that an administrator might need to perform in Active Directory to implement smart card authentication, see the Horizon Administration document.