Logging In with a Smart Card – works from Windows but not from PCoIP zero clients

This post was originally published on this site

Horizon 7.10, single connection server, full VMs with Windows 10 64bit build 1903.

Horizon agent is installed with PCoIP smart card redirection feture and without USB redirection.

 

When connecting from laptops installed with various versions of Windows 10, the smart card login works as it should.

You select connection server, enter PIN and you get connected and logged into your Windows desktop.

 

C:Userstest.one>certutil -scinfo

The Microsoft Smart Card Resource Manager is running.

Current reader/card status:

Readers: 1

  0: Gemalto USB SmartCard Reader 0

— Reader: Gemalto USB SmartCard Reader 0

— Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED

— Status: The card is available for use.

—   Card: IDPrime MD T=0

—    ATR:

        3b 7f 96 00 00 80 31 80  65 b0 85 03 00 ef 12 0f   ;…..1.e…….

        fe 82 90 00                                        ….

 

 

=======================================================

Analyzing card in reader: Gemalto USB SmartCard Reader 0

 

————–===========================————–

================ Certificate 0 ================

— Reader: Gemalto USB SmartCard Reader 0

—   Card: IDPrime MD T=0

Provider = Microsoft Base Smart Card Crypto Provider

Key Container = te-b2f6aac3-2a61-4c6e-8b81-fbcaf5ca6fc8

 

 

… snip…

 

 

Done.

CertUtil: -SCInfo command completed successfully.

 

 

When connecting from Zero clients (terra 2), to the same desktops using same smartcard reader and card, initially looks like it would work.

When you insert smart card into the reader, the client starts automatically connecting to the server and prompts for PIN. Once you enter the PIN you get to select the pool and after you click connect you land on to the windows login screen, where you must enter password.

So basically looks like smart card checks up against connection server since you are connected without asking for username and password, but then windows don’t see the smart card to perform loging into the desktop.

 

C:Userstest.one>certutil -scinfo

The Microsoft Smart Card Resource Manager is not running.

WaitForSingleObject: Service is in an unknown state.

CertUtil: -SCInfo command FAILED: 0x80070102 (WIN32/HTTP: 258 WAIT_TIMEOUT)

CertUtil: The wait operation timed out.

 

 

In both cases the certificates are visible in MMC certificates snappin nad can be used in web applications.

 

Any idea why wouldn’t smart card authentication worked from zero clients ? Redirection seems to work since certificates are visible in session and can be used, but then again certutil errors out in case of zero clients.

 

Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.