What are the requirements to support pre-session smart card authentication when connecting to VMware Horizon (View)?
Note: With the release of PCoIP Zero Client firmware 6.1.0, the information in the knowledge base article has been moved into the PCoIP Zero Client Administrators' guide to ensure the list is current at the time of each firmware release. See PCoIP Zero Client Firmware Administrators' Guide for more information. This KB is no longer maintained and is here for reference for users of firmware prior to 6.1.0.
PCoIP Zero Clients support pre-session smart card authentication when connected to VMware View virtual desktops that meet the system configuration requirements listed below.
Note: Pre-session smart card authentication to remote workstations using PCoIP Remote Workstation Cards is not supported at this time.
For deployments that meet these requirements, PCoIP Zero Clients can also read and process smart card information and allows SSO (single sign on) authentication of the user prior to session establishment.
System Requirements
When used with VMware View 4.5 or higher with smart card authentication enabled, the firmware securely transfers the attached smart card properties to the View Connection Server for authentication and SSO of a user prior to a session.
Smart Card Certificate Requirements
- Key usage must be set to digital signature
- Subject common name and/or subject alternative name (other name) must be set
- Enhanced key usage must include client authentication and/or smart card logon
- Key length must not be larger than 2048 bit
Virtual Desktop Requirements
- VMware View 4.5 or higher
- VM Guest OS: Windows XP, Vista, Win7 with VMware View Agent PCoIP smart card component installed
- PCoIP zero client firmware 3.2.0 or newer (where those smart cards supported in later firmware releases are indicated as such)
- the Agent’s PCoIP smart card component must be installed for the guest OS to see the smart card reader (this is not installed by default)
Supported USB Smart Card Readers
(Note: Not all readers will function properly with all smart card solutions.)
- Alcor AU9540-GBS (built into selected Samsung zero clients)
- Castles Technology EZM110CU (built into selected ClearCube zero clients)
- Castles Technology EZM110PU (built into selected ClearCube zero clients)
- Cherry SmartBoard keyboard
- Dell Smart Card USB keyboard SK3205
- Gemalto PC Twin HWP108765C
- Gemalto PC Twin HWP108760D
- Gemalto PC USB-SW
- HP KUS0133 Smart Card Keyboard
- Leadtek Alcor Reader
- OmniKey 3021
- OmniKey 3121
- OmniKey 5321 (Note: the 5321 CLi variant is currently not supported)
- Omnikey 5421
- Peripheral Dynamics PT-3901
- SCR331
- SCR333
- SCR335
- SCR3310
- SCR3310/v2.0
Known Smart Card Readers compatible with SC650 / SIPR
- Omnikey 3021
- Omnikey 3121
- Omnikey 5321
- ClearCube Zero Client with a built-in Omnikey 3021 reader
- Gemalto GemPC Twin
- SCM SCR3310 v2
Tested Smartcard Models
HP Anyware has tested these specific smart card models:
| Model | Specification and/or Applet |
Middleware Provider | Firmware Version | Comments | Processor | |
|---|---|---|---|---|---|---|
| Pre-Session Authentication |
In-Session Use |
|||||
| Cyberflex Access 64K V2c |
HP Anyware Connector (GSC-IS) ActivClient v2.6.1 applet |
ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto Access 64KV2 Note 2,3 |
Tera1 Tera2 |
| ID-One Cosmo v5.2D 64K |
HP Anyware Connector (GSC-IS) ActivClient v2.6.1 applet |
ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur Cosmo64 V5.2D Note 2,3 |
Tera1 Tera2 |
| ID-One Cosmo v5.2 72K |
HP Anyware Connector (GSC-IS) ActivClient v2.6.1 applet |
ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One V5.2 Note 2,3 |
Tera1 Tera2 |
| Cyberflex Access v2c 64K |
HP Anyware Connector(GSC-IS) ActivClient v2.6.1 applet |
ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto Access 64KV2. Note 2, 3 |
Tera1 Tera2 |
| ID-One Cosmo v5.2D 72K |
HP Anyware Connector (PIV Transitional) ActivClient v2.6.2 applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
Tera1 Tera2 |
| Gemalto GemCombiXpresso R4 dual interface |
HP Anyware Connector (PIV Transitional) ActivClient v2.6.2 applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto GCX4 72K DI This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
Tera1 Tera2 |
| ID-One Cosmo v5.2D 72K |
HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2 applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One V5.2 Dual This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
Tera1 Tera2 |
| Gemalto GemCombiXpresso R4 dual interface |
HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2 applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto GCX4 72K DI This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
Tera1 Tera2 |
| Gemalto TOP DL GX4 144K |
HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2b applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto TOP DL GX4 144K. This card has both contact and contactless interfaces. Only contact interfaces are supported. Note 2, 3 |
Tera1 Tera2 |
| Oberthur ID-One Cosmo 128 v5.5 for DoD HP Anyware Connector |
HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2b applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur ID One 128 v5.5 Dual. This card has both contact & contactless interfaces. Only contact interfaces are supported. Note 2 below |
Tera1 Tera2 |
| CosmopolIC 64K V5.2 |
HP Anyware Connector (GSC-IS) ActivClient v2.6.2 applet |
ActivIdentity | 3.2.0 and higher | 3.2.0 and higher | Note 2, 3 | Tera1 Tera2 |
| ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2 |
HP Anyware Connector (PIV Endpoint) ActivClient v2.3.2 applet |
ActivIdentity | 3.4.0 and higher | 3.4.0 and higher | A PIV Endpoint card uses the T=1 protocol Note 2, 3 |
Tera1 Tera2 |
| GemCombiXpresso | HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2b applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Gemalto TOP DL GX4 72K Note 2, 3 |
Tera1 Tera2 |
| ID-One Cosmo 64 v5.2D Fast ATR with PIV application SDK |
HP Anyware Connector (PIV Endpoint ActivClient v2.6.2b applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Also referred to as the Oberthur CS PIV End Point v1.08 FIPS 201 Note 2, 3 |
Tera1 Tera2 |
| ID-One Cosmo v7.0 128K |
HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2b applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Note 2, 3 | Tera1 Tera2 |
| SmartCafe Expert 144K DI v3.2 |
HP Anyware Connector (PIV Endpoint) ActivClient v2.6.2b applet |
ActivIdentity | 3.3.0 and higher | 3.2.0 and higher | Note 2, 3 | Tera1 Tera2 |
| Cyberflex Access 64K V2c |
ACS PKI 1.12 | Gemalto Access Client |
4.0.0 and higher | 3.2.0 and higher | Note 3 | Tera1 Tera2 |
| Cyberflex Access 64K V2c |
ACS PKI 1.14 | Gemalto Access Client |
4.0.0 and higher | 3.2.0 and higher | Note 3 | Tera1 Tera2 |
| Axalto Cryptoflex .NET |
Gemalto .NET | Gemalto/ Windows |
3.4.1 and higher | 3.2.0 and higher | Implements the Gemalto .NET standard. The middleware is built into Windows. Note 3 |
Tera1 Tera2 |
| SIPR Token (SafeNet SC650) |
Coolkey applet | 90meter | 3.5.1 and higher | 3.2.0 and higher | This card uses 3V power, which many readers do not supply. Please see the reader list for compatible readers. Note 3 |
Tera1 Tera2 |
| SafeNet SC650 | SafeNet PKI | SafeNet SHAC | 4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera2 |
| SafeNet SC650 Blade | SafeNet PKI | SafeNet SHAC | 5.1.0 and higher | 5.1.0 and higher | Note 3 | Tera2 |
| Atos CardOS | CardOS | CardOS API | 4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera2 |
| eToken 4100 | eToken Java | SafeNet Authentication Client |
5.1.1 and higher | 5.1.1 and higher | Note 3 | Tera2 |
| eToken 5100 | eToken Java | SafeNet Authentication Client |
4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera1 Tera2 |
| eToken 5105 | eToken Java | SafeNet Authentication Client |
4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera1 Tera2 |
| eToken 5200 | eToken Java | SafeNet Authentication Client |
4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera1 Tera2 |
| eToken 5205 | eToken Java | SafeNet Authentication Client |
4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera1 Tera2 |
| eToken NG-OTP 72k |
eToken Java | SafeNet Authentication Client |
4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera1 Tera2 |
| eToken 72k Pro (IN FW 4.1.0) |
eToken Java | SafeNet Authentication Client |
4.1.0 and higher | 4.1.0 and higher | Note 3 | Tera1 Tera2 |
| Gemalto IDCore 3020 PIV | PIV | Windows NIST SP 800-73 [PIV](can be provisioned with Charismathics Security Token Configurator 5.0.2) | 4.8.0 and higher | 4.8.0 and higher | Note 3 Install user cert using Charismathics STC | Key Pair | Import Key Pair from PFX-File |
Tera2 |
| Buypass | Buypass Proprietary | Buypass Proprietary | 4.8.0 and higher | 4.8.0 and higher | Note 3 Requires Buypass Middleware version 6.3.0.45 or later |
Tera2 |
| SIPR Token (G&D Sm@rtCafé Expert) | Coolkey applet | 90meter | 5.4.1 and higher | 3.2.0 and higher | Note 3 This G&D card works in all known readers |
Tera2 |
| Gemalto IDPrime MD 830 up to Level2, IDPrime MD 840, IDPrime MD 3810 | Gemalto Proprietary | Gemalto | 5.5.0 and higher | 5.5.0 and higher | Note 3 | Tera2 |
| PIVkey C980 | PIV | Taglio PIVKey Installer-User-7.1.0.5 (https://pivkey.com/download/pkuser.zip) |
5.5.1 and higher | 4.8.0 and higher | Note 3 Install user cert using Versasec vSEC_CMS_K2.0 from certificate PFX-File. vSEC-CMS_K2.0.exe can be downloaded as part of https://pivkey.com/pkadmin.zip Certificate can be mapped to container using pivkeytool.exe, which is also included in the Installer-Admin file in pkadmin.zip. More information from https://pivkey.zendesk.com/hc/en-us |
Tera2 |
| Crescendo 144K FIPS | PIV | Actividentity | 5.5.1 and higher | 5.5.1 and higher | Note 3 For Pre-session authentication, “Prefer GSC-IS” must be disabled in AWI Advanced Session Connection configuration |
Tera2 |
| HID Crescendo 144K FIPS Standalone card | HP Anyware Connector (GSC-IS 2.1) | Actividentity | 6.1.0 and higher | 6.1.0 and higher | Note 3 | Tera2 |
| SafeNet eToken 5110 FIPS | eToken Java | SHAC 2.12.020 | 6.1.0 and higher | 6.1.0 and higher | Note 3 | Tera2 |
Notes:
-
Your card may be on the supported card list however the applet of the card may not be supported.
-
Windows 8 virtual machines require ActiveClient 7.0 or newer. The old version (e.g. 6.x) will install but will not work as expected.
-
Solutions must be validated in user environments before selecting a solution, as environmental differences including network conditions or other components may impact support.
Undocumented Smart Card Support
(It is possible for cards listed in the table with the following specs may function correctly)
For smart card authentication and SSO, the smart card must meet one of the following specifications:
- GSC-IS v2.0 and v2.1 cards (firmware 3.2.0 or higher)
- PIV transitional cards (firmware 3.4.0 or higher)
- PIV endpoint cards (firmware 3.4.0 or higher)
- Gemalto .NET
- Gemalto Access Client
- CoolKey
- CardOS 4.3b / 4.4 (excluding eToken. Supported on Tera2 with FW 4.1.0 and higher)
The communication protocol between the smart card and the reader is referred to as T=X, where X is 0 or 1. Firmware 3.2.0 and higher supports T=0. Firmware 3.4.0 and higher supports T=1.
Support for additional smart card variants will be added to future firmware releases.
Pre-session smart card authentication to remote workstations using PCoIP host cards is not supported at this time.
See also:
What is the difference between pre-session and post-session(in-session) smart card operation?
Authentication failures with my eToken/smartcard device and VMware Horizon View