Why does my pre-session smart card authentication fail with my PCoIP Zero Client but not my VMware Horizon client?

Rate this Article
Average: 1 (1 vote)

July 3, 2020

Last modified: 09/03/2023, 6:12 pm

Knowledge Base Article Advisory Security Third Party Enhancements Zero Clients

Problem

You cannot establish a PCoIP session using your smart card in pre-session with a PCoIP Zero Client, but you are successful when using a VMware Horizon client.

Note: Make sure that your smartcard and smartcard reader meet the requirements listed here - PCoIP Zero Client requirements to support pre-session smart card authentication when connecting to VMware Horizon plus supported card readers and smart cards

 

Cause

The configuration on the VMware Connection Server is incorrect. This can be identified by looking for the following lines in the PCoIP Zero Client log.

0d,00:17:22> LVL:2 RC:-500 MGMT_VDM :(iccrm_parse_scard_cert): Issuer name to match:
0d,00:17:22> LVL:2 RC: 0 MGMT_VDM :(19) <XYZ-CA (this is an example)>
0d,00:17:22> LVL:2 RC:-500 MGMT_VDM :(iccrm_parse_scard_cert): Issuer didn't match any of these names:
0d,00:17:22> LVL:2 RC: 0 MGMT_VDM :(0d) <XYZ-EMAIL-CA (In this example the name is different then shown above)>
0d,00:17:22> LVL:2 RC: 0 MGMT_VDM :(mgmt_vdm_iccrm_scard_find_cert): Certificate is not smart card compatible. [cert_idx = 0]

 

Resolution

Make sure that the smart card certificate (Issuer) was added to the VMware Connection Server (VCS) truststore file (.key).

  1. Verify that the smartcard issuer (not just the root certificate) is installed on the VCS truststore.

    Here is a link to VMware documentation that shows how to add the issuer certificate to the VCS (applicable to the smartcard certificate not just the root certificate):

    https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-administration/GUID-965A7946-605E-40A9-8808-32D27C318F70.html

    Here is an example of how to add a certificate to the truststore file on the VCS using the command line:

    C:\Program Files\VMware\VMware View\Server\sslgateway\conf\>keytool -import -file .cer -keystore truststorefile.key
    Enter keystore password:
    Certificate was added to keystore
  2. Ensure the attributes of the "locked.properties" file are set properly.

    Sample of locked.properties file:

    trustKeyfile=truststorefile.key
    trustStoretype=JKS
    useCertAuth=true

    Note: The trustKeyfile must point to the correct .key file

  3. Connect to the VCS from the zero client. 

Note: The certificate checking process differs between (Horizon) View Client and the PCoIP Zero Client with respect to the certificate chain requirements. The PCoIP Zero Client requires the full issuing certificate chain to be installed on the VCS (root certificate plus all intermediate certificates).

 

See also:

PCoIP TROUBLESHOOTING STEPS: Smart cards and Proximity cards