by: Helge, published: Apr 10, 2013, in

Getting USB Smart Card Readers to Work with Citrix XenDesktop

Even if you only have a moderately sized VDI deployment chances are high you will face the problem of getting USB smart card readers to work on the virtual desktops. Given that this is such a basic requirement it is astonishingly hard to implement correctly. To save you the pain of having to start from scratch here is my description of how to do it.

Basics

Smart card readers are USB devices, so the only thing you have to do is plug them into the thin or fat client sitting on your desk and Citrix XenDesktop auto-magically makes them appear in your virtual desktop, right? Wrong. We are going to get to that magic, but we have got a bit of configuring to do first. To auto-map smart card readers like the Reiner SCT or Omnikey devices into virtual desktops we need:

  1. USB redirection must be allowed
  2. A redirection rule for the device type smart card via Citrix policies
  3. A redirection rule for the device type smart card on the end user device
  4. The USB redirection module must be enabled on the end user device (applies to some Linux thin clients)
  5. Smart card hooks may have to be removed on the virtual desktop
  6. The Windows Smart Card service needs to be started

The following chapters elaborate on these points.

Allow USB Device Redirection

Configure a Citrix user policy to allow USB device redirection by setting ICA -> USB Devices -> Client USB device redirection to allowed.

Smart Card Redirection Rule in Citrix Policies

Add a redirection rule for smart cards to the Citrix policy setting ICA -> USB Devices -> Client USB device redirection rules:

Allow: Class=0b # smart cards

Make sure there is no deny rule overriding it.

Client USB device redirection rules

Smart Card Redirection Rule on the End User Device

Funnily, some people seem to think that smart card readers are typically used on the end user’s device, not the virtual desktop. While this just might be true for fat clients it is downright ridiculous for thin clients. When I connect a smart card reader to a thin client I most definitely want to use it in the remote session, not on the device itself.

However, the thinking that the endpoint comes first has led to the situation that the ICA client also has redirection rules. In contrast to the rules in the Citrix policy the endpoint’s rules are even preconfigured, and in such a way that redirection of smart card readers is disabled. Obviously, we need to get rid of this.

Thin Clients with Linux ICA Client (Citrix Receiver)

USB redirection rules are stored in the file usb.conf which is located in the directory /setup/ica on Fujitsu eLux thin clients. The default content of usb.conf includes the line:

DENY: class=0b # Smartcard

Either delete that line or comment it out by putting a hash (#) in front of DENY.

Windows ICA Client (Citrix Receiver)

On a Windows machine USB redirection rules are stored in the registry value HKLM\Software\Citrix\ICA Client\GenericUSB\DeviceRules. The format of that multiline string is identical to the file usb.conf on Linux. As described above locate the entry that denies smart card redirection and either delete it or comment it out.

Enable USB Redirection Module (Linux Thin Clients)

Some Linux thin clients have a modular ICA client. Thus it is possible that the component for accessing XenApp and XenDesktop is installed, but the HDX Plug-n-Play module is missing. In case of eLux make sure to install HDX Plug-n-Play USB 2.0.

Optionally Remove Smart Card Hooks

If you have followed the steps above you have done everything that is required to get smart card readers working in your virtual desktops – theoretically. In practice it can happen that the readers do not work reliably. In that case Citrix’s smart card hooks may interfere with the redirection. This can be resolved by deleting the hooks. To do that delete the following registry keys on the virtual desktop:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook [32-bit and 64-bit systems]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook [64-bit systems]

Windows Smart Card Service

Make sure the Windows Smart Card service is started on the virtual desktops or all of the above will have no effect.

Tested Platforms and Devices

I have tested this configuration with Citrix XenDesktop 5.6. The virtual desktops were running Windows 7 x64 with the XenDesktop VDA 5.6.200. Smart card readers tested were Reiner SCT cyberJack e-com and Omnikey CardMan 3121.

More Information

CTX132716: Case Study: Preventing or Allowing Mapping of Specific USB Devices to Virtual Desktops
CTX129558: How to Redirect USB Devices in XenDesktop

Previous Article Windows Offline Files: Problems and Solutions
Next Article What are Slow Logons and Where Do They Come From?