Smart cards 编辑

Smart cards and equivalent technologies are supported within the guidelines described in this article. To use smart cards with Citrix Virtual Apps or Citrix Virtual Desktops:

• Understand your organization’s security policy concerning the use of smart cards. These policies might, for example, state how smart cards are issued and how users must safeguard them. Some aspects of these policies might need to be reassessed in a Citrix Virtual Apps or Citrix Virtual Desktops environment.
• Determine which user device types, operating systems, and published applications are to be used with smart cards.
• Familiarize yourself with smart card technology and your selected smart card vendor hardware and software.
• Know how to deploy digital certificates in a distributed environment.

Note:

Smart card enrollment is not supported with fast smart card. Smart card enrollment might work when fast smart card is disabled, but depends on the type of smart card and middleware. Contact your smart card and middleware vendor for information on their integration with Citrix Virtual Apps and Desktops and support for smart card enrollment over virtual sessions.

Types of smart cards

Enterprise and consumer smart cards have the same dimensions, electrical connectors, and fit the same smart card readers.

Smart cards for enterprise use contain digital certificates. These smart cards support Windows Logon, and can also be used with applications for digital signing and encryption of documents and email. Citrix Virtual Apps and Desktops support these uses.

Smart cards for consumer use do not contain digital certificates; they contain a shared secret. These smart cards can support payments (such as a chip-and-signature or chip-and-PIN credit card). They do not support Windows Logon or typical Windows applications. Specialized Windows applications and a suitable software infrastructure (including, for example, a connection to a payment card network) are needed for use with these smart cards. Contact your Citrix representative for information on supporting these specialized applications on Citrix Virtual Apps or Citrix Virtual Desktops.

For enterprise smart cards, there are compatible equivalents that can be used in a similar way.

• A smart card-equivalent USB token connects directly to a USB port. These USB tokens are usually the size of a USB flash drive, but can be as small as a SIM card used in a mobile phone. They appear as the combination of a smart card plus a USB smart card reader.
• A virtual smart card using a Windows Trusted Platform Module (TPM) appears as a smart card. These virtual smart cards are supported for Windows 8 and Windows 10, using Citrix Workspace app (minimum version Citrix Receiver 4.3).
  • Versions of Citrix Virtual Apps and Desktops (formerly XenApp and XenDesktop) earlier than XenApp and XenDesktop 7.6 FP3 do not support virtual smart cards.
  • For more information on virtual smart cards, see Virtual Smart Card Overview.

  Note: The term “virtual smart card” is also used to describe a digital certificate stored on the user computer. These digital certificates are not strictly equivalent to smart cards.

Citrix Virtual Apps and Desktops smart card support is based on the Microsoft Personal Computer/Smart Card (PC/SC) standard specifications. A minimum requirement is that smart cards and smart card devices must be supported by the underlying Windows operating system and must be approved by the Microsoft Windows Hardware Quality Labs (WHQL) to be used on computers running qualifying Windows operating systems. See the Microsoft documentation for additional information about hardware PC/SC compliance. Other types of user devices might comply with the PS/SC standard. For more information, refer to the Citrix Ready program.

Usually, a separate device driver is needed for each vendor’s smart card or equivalent. However, if smart cards conform to a standard such as the NIST Personal Identity Verification (PIV) standard, it might be possible to use a single device driver for a range of smart cards. The device driver must be installed on both the user device and the Virtual Delivery Agent (VDA). The device driver is often supplied as part of a smart card middleware package available from a Citrix partner; the smart card middleware package offers advanced features. The device driver might also be described as a Cryptographic Service Provider (CSP), Key Storage Provider (KSP), or minidriver.

The following smart card and middleware combinations for Windows systems have been tested by Citrix as representative examples of their type. However, other smart cards and middleware can also be used. For more information about Citrix-compatible smart cards and middleware, see http://www.citrix.com/ready.

For information about smart card usage with other types of devices, see the Citrix Workspace app documentation for that device.

Remote PC Access

Smart cards are supported only for remote access to physical office PCs running Windows 10, Windows 8 or Windows 7.

The following smart cards were tested with Remote PC Access:

Fast smart card

Fast smart card is an improvement over the existing HDX PC/SC-based smart card redirection. It improves performance when smart cards are used in high-latency WAN situations. When latency is high, the performance improvement can be significant (for example, 15 seconds for a Windows fast smart card logon versus more than 1 minute with the PC/SC-based smart card redirection).

Fast smart card is enabled by default on host machines with currently supported Windows VDAs. To disable Fast Smart Card on the host-side—for example for diagnostic purposes—set the ‘Disable Cryptographic Redirection’ registry setting to any non-zero value:

HKLM\SOFTWARE\Citrix\SmartCard
CryptographicRedirectionDisable (DWORD)
<!--NeedCopy-->