When you enable smart card redirection on a Linux desktop, a user can authenticate into the desktop using a smart card reader connected to the local client system. To set up smart card redirection, you must perform some configuration steps.

Overview of Smart Card Redirection

Smart card redirection is supported on desktops based on virtual machines running the following Linux distributions:

  • RHEL 7.x/8.x/9.x
  • Rocky Linux 8.x/9.x
  • Ubuntu 20.04/22.04
  • Debian 10.x/11.x/12.x
  • SLED/SLES 15.x

When you install Horizon Agent, you must specifically select the smart card redirection component because the component is not selected by default. For more information, see Command-line Options for Installing Horizon Agent for Linux.

The smart card redirection feature depends on the PC/SC Lite library (pcsc-lite) to establish communication with applications on the desktop. You can use either the default PC/SC Lite library included with your desktop's distribution or a custom-built PC/SC Lite library. If you use a custom library, you must configure the /etc/vmware/config file to match the reader context and message body settings of your custom PC/SC Lite library.

If you enable the smart card redirection feature on a virtual machine, vSphere Client's USB redirection does not work with the smart card.

Smart card redirection supports only one smart card reader at a time. This feature does not work if two or more readers are connected to the client system.

Smart card redirection supports only one certificate on the card. If more than one certificate is on the card, the one in the first slot is used and the others are ignored. This behavior is a Linux limitation.

The smart card single sign-on (SSO) feature allows users to launch desktop sessions without entering their smart card credentials. The /etc/vmware/viewagent-greeter.conf configuration file contains settings related to the smart card SSO feature, as well as to the VMware greeter when SSO is deactivated . For more information, see Edit Configuration Files on a Linux Desktop.

Note: Smart card redirection supports the use of PIV cards to authenticate into Linux desktops. When you use Horizon Client for Linux to authenticate the broker with a PIV card, you must configure the PIV smart card with TLSv1.2 support to avoid receiving an SSL error.

Configuring Smart Card Redirection

To configure smart card redirection, perform the following tasks.

  1. Set up the smart card by following the instructions from the smart card vendor.
  2. Integrate the base virtual machine with an Active Directory domain, following the procedure for your Linux distribution.
  3. Configure smart card redirection on the base virtual machine, following the procedure for your Linux distribution.
  4. If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file. See Edit Configuration Files on a Linux Desktop.