Why can I not establish a PCoIP connection with my HID smartcard?

Rate this Article
Average: 1 (1 vote)

August 3, 2018

Last modified: 09/25/2023, 10:46 am

Knowledge Base Article Troubleshooting Security Zero Clients

Scenario 1

PIV smart cards do not work with PCoIP Zero Clients in pre-session. (Before a PCoIP session is established)

 

How to Identify

User cannot establish a PCoIP session using their smart card. Search the PCoIP Zero Client default logs show the following lines:

enable_prefer_gscis_over_piv_endpoint = enabled

This line is a default value and it means that:
When selected, the GSC-IS interface is used if a smart card supports more than one interface such as CAC (GSC-IS) and PIV endpoint. If a smart card supports only one interface, such as either CAC or PIV endpoint, then only the CAC or PIV endpoint interface is used regardless of this setting. This only affects smart card access performed outside of PCoIP sessions.

LVL:2 RC:-500 MGMT_VDM :(iccrm_parse_scard_cert): Issuer name to match:
LVL:2 RC: 0 MGMT_VDM :(19) <XYZ-CA (this is an example)>
LVL:2 RC:-500 MGMT_VDM :(iccrm_parse_scard_cert): Issuer didn't match any of these names:
LVL:2 RC: 0 MGMT_VDM :(0d) <XYZ-EMAIL-CA (In this example the name is different then shown above)>
LVL:2 RC: 0 MGMT_VDM :(mgmt_vdm_iccrm_scard_find_cert): Certificate is not smart card compatible. [cert_idx = 0]

 

Workaround/Fix

  1. Verify that the smartcard issuer certificate (not just the root certificate) is installed on the VCS.
  2. In the Administrator Web Interface (AWI) browse Configuration > Session.
  3. Click Show Advanced Options.
  4. Uncheck the option Prefer GSC-IS.
  5. Click Apply.
  6. Click Continue.
  7. Reset the zero client.
  8. Try to connect again.

For further reference see the Teradici support site.

 

Scenario 2

Smart cards (non PIV) do not work with PCoIP Zero Clients in pre-session. (Before a PCoIP session is established)

 

How to Identify (same as scenario 1)

User cannot establish a PCoIP session using there smart card. Search the PCoIP Zero Client default logs show the following lines:

0d,00:17:22> LVL:2 RC:-500 MGMT_VDM :(iccrm_parse_scard_cert): Issuer name to match:
0d,00:17:22> LVL:2 RC: 0 MGMT_VDM :(19) <XYZ-CA (this is an example)>
0d,00:17:22> LVL:2 RC:-500 MGMT_VDM :(iccrm_parse_scard_cert): Issuer didn't match any of these names:
0d,00:17:22> LVL:2 RC: 0 MGMT_VDM :(0d) <XYZ-EMAIL-CA (In this example the name is different then shown above)>
0d,00:17:22> LVL:2 RC: 0 MGMT_VDM :(mgmt_vdm_iccrm_scard_find_cert): Certificate is not smart card compatible. [cert_idx = 0]

 

Workaround/Fix

Verify that the smartcard issuer certificate (not just the root certificate) is installed on the VCS.

Note: The certificate checking process differs between View Client and the PCoIP Zero Client with respect to the certificate chain requirements. The PCoIP Zero Client requires the full issuing certificate chain to be installed on the VCS (root cert plus all intermediate certs).

Here is a link to VMware documentation on how to add the issuer certificate to the VCS (applicable to the smartcard certificate not just the root):

https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-administration/GUID-965A7946-605E-40A9-8808-32D27C318F70.html

 

See also:

Why does my pre-session smart card authentication fail with my PCoIP Zero Client but not my VMware View client?

PCoIP TROUBLESHOOTING STEPS: Smart cards and Proximity cards