Citrix XenApp Configuration

ActivClient is designed to support smart cards in a Citrix XenApp deployment. However, there is no specific ActivClient configuration required for Citrix deployments.

Citrix provides a large set of documentation about XenApp configuration for smart card deployments. This section provides pointers to these Citrix documents and configuration recommendations. For the latest up-to-date documentation, go to the official Citrix web site.

To decide which Citrix client is needed for your deployment, see http://support.citrix.com/proddocs/topic/online-plugin-112-windows/ica-clients-deciding-v2.html. The Citrix Online plug-in is recommended for smart card services.

To configure Citrix Web Interface with smart card authentication, see http://support.citrix.com/proddocs/topic/web-interface-impington/wi-authenticate-wrapper-gransden.html. Choose Smart card or Pass-through with smart card depending on your configuration.

This document also includes the following authentication recommendations:

If you plan to enable pass-through, pass-through with smart card, or smart card authentication, be aware of the following:

  • If users log on to their computers using smart cards and you want to enable pass-through authentication, select the option to use Kerberos authentication.

  • If users log on to their computers using explicit credentials, do not enable smart card or pass-through with smart card authentication for those users to access the Web Interface.

Note:

Users who log on to Windows using explicit credentials and then subsequently access a site configured for pass-through with smart card authentication are presented with a Welcome to Windows dialog box when accessing resources. To cancel this dialog box, users must press right-ALT (ALT GR) + DELETE. Citrix recommends creating separate sites for users logging on with smart cards and users logging on with explicit credentials.

To enable smart card authentication for Web Interface, see http://support.citrix.com/proddocs/topic/web-interface-impington/wi-enable-smart-card-authentication-gransden.html.

As you configure Microsoft Windows for the smart card removal behavior, you also need to configure the smart card removal behavior for Citrix sessions. To enable smart card authentication for XenApp Services sites:

  1. From the Windows Start menu, point to All Programs, Citrix, Management Consoles and then select Citrix Web Interface Management.

  1. In the left pane of the Citrix Web Interface Management console, click XenApp Services Sites and select your site in the results pane.

  2. In the Action pane, click Authentication Methods and select the Smart card or Pass-through with smart card option, as appropriate.

  3. Click Properties and select Roaming.

  4. To configure the behavior of the Web Interface when a smart card is removed, select Enable roaming and choose one of the following options:

  • To disconnect a user’s session when the smart card is removed, select Disconnect sessions when smart card removed.

  • To log off a user’s session when the smart card is removed, select Log off sessions when smart card removed.

  1. If you enabled pass-through with smart card authentication and you want to use Kerberos authentication between the plug-in and the XenApp Services site, click Kerberos Authentication and select the Use Kerberos to authenticate to the XenApp Services site option.

Citrix Related Registry Values

Reader List Polling Period

Description: This registry determines how often ActivClient checks for reader plugging/ unplugging in an RDP or Citrix session.

Default Values: 30000 milliseconds

Registry Key: ReaderListPollingPeriod

Comments:

The DWORD value indicates how often ActivClient checks for reader plugging/ unplugging in an RDP or Citrix session using calls to Microsoft Smart Card Service (SCardSvr). For slow networks (such as UMTS or satellite connection) where such calls may take several hundred milliseconds, you may want to increase ReaderListPollingPeriod to higher values. Set this value in milliseconds.

Note: This key is only necessary on RDP/Citrix servers. When ActivClient is installed on user workstations, ActivClient uses specific Windows device APIs to manage the detection of reader plugging/unplugging.

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\HID Global\SnapIns\EventService\EventsMonitoring\SCard