After you set up smart card authentication for the first time, or when smart card authentication is not working correctly, you should verify your smart card authentication configuration.

Procedure

  • Verify that each client system has smart card middleware, a smart card with a valid certificate, and a smart card reader. For end users, verify that they have Horizon Client.
    See the documentation provided by your smart card vendor for information on configuring smart card software and hardware.
  • On each client system, select Start > Settings > Control Panel > Internet Options > Content > Certificates > Personal to verify that certificates are available for smart card authentication.

    When a user or administrator inserts a smart card into the smart card reader, Windows copies certificates from the smart card to the user's computer. Applications on the client system, including Horizon Client, can use these certificates.

  • In the locked.properties file on the Connection Server host, verify that the useCertAuth property is set to true and is spelled correctly.
    The locked.properties file is located in install_directory\VMware\VMware View\Server\sslgateway\conf. The useCertAuth property is commonly misspelled as userCertAuth.
  • If you configured smart card authentication on a Connection Server instance, check the smart card authentication setting in Horizon Console.
    1. Select Settings > Servers.
    2. On the Connection Servers tab, select the Connection Server instance and click Edit.
    3. If you configured smart card authentication for users, on the Authentication tab, verify that Smart card authentication for users is set to either Optional or Required.
    4. If you configured smart card authentication for administrators, on the Authentication tab, verify that Smart card authentication for administrators is set to either Optional or Required.
    You must restart the Connection Server service for changes to smart card settings to take effect.
  • If the domain a smart card user resides in is different from the domain your root certificate was issued from, verify that the user’s UPN is set to the SAN contained in the root certificate of the trusted CA.
    1. Find the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
    2. On your Active Directory server, select Start > Administrative Tools > Active Directory Users and Computers.
    3. Right-click the user in the Users folder and select Properties.
    The UPN appears in the User logon name text boxes on the Account tab.
  • If smart card users select the PCoIP display protocol or the VMware Blast display protocol to connect to single-session desktops, verify that the Horizon Agent component called Smartcard Redirection is installed on the single-user machines. The smart card feature lets users log in to single-session desktops with smart cards. RDS hosts, which have the Remote Desktop Services role installed, support the smart card feature automatically. As a result, there is no need to install the feature.
  • Check the log files in Drive Letter:\ProgramData\VMware\log\ConnectionServer on the Connection Server host for messages stating that smart card authentication is enabled.
    Note: This file path is a symbolic link that redirects to the actual location of the log files, which is Drive Letter:\ProgramData\VMware\VDM\logs