When smart card redirection is enabled on a Linux desktop, a user can authenticate into the desktop using a smart card reader connected to the local client system. To set up smart card redirection, you must perform some configuration steps.

Overview of Smart Card Redirection

Smart card redirection is supported on desktops based on virtual machines running the following Linux distributions:

  • RHEL 8.x
  • RHEL 7.x
  • Ubuntu 18.04/16.04
  • SLED 12.x SP3
  • SLES 12.x SP5/SP3
Note: RHEL 8.x desktops do not support smart card redirection and Active Directory single sign-on (SSO) at the same time. If you set up smart card redirection on a RHEL 8.x desktop, Active Directory SSO does not work.

When you install Horizon Agent, you must first disable SELinux. You must also specifically select the smart card redirection component because the component is not selected by default. For more information, see install_viewagent.sh Command-Line Options.

If the smart card redirection feature is enabled on a virtual machine, vSphere Client's USB redirection does not work with the smart card.

Smart card redirection supports only one smart card reader at a time. This feature does not work if two or more readers are connected to the client system.

Smart card redirection supports only one certificate on the card. If more than one certificate is on the card, the one in the first slot is used and the others are ignored. This behavior is a Linux limitation.

Note: Smart card redirection supports the use of PIV cards to authenticate into Linux desktops. When you use Horizon Client for Linux to authenticate the broker with a PIV card, you must configure the PIV smart card with TLSv1.2 support to avoid receiving an SSL error. Use the solution described in VMware KB article 2150470.
Note: The Smartcard SSO feature is not supported on Linux desktops.

Configuring Smart Card Redirection

To configure smart card redirection, perform the following tasks.

  1. Set up the smart card by following the instructions from the smart card vendor.
  2. Integrate the base virtual machine with an Active Directory domain, following the procedure for your Linux distribution.
  3. Configure smart card redirection on the base virtual machine, following the procedure for your Linux distribution.