Getting USB Smart Card Readers to Work with Citrix XenDesktop
Even if you only have a moderately sized VDI deployment chances are high you will face the problem of getting USB smart card readers to work on the virtual desktops. Given that this is such a basic requirement it is astonishingly hard to implement correctly. To save you the pain of having to start from scratch here is my description of how to do it.
Basics
Smart card readers are USB devices, so the only thing you have to do is plug them into the thin or fat client sitting on your desk and Citrix XenDesktop auto-magically makes them appear in your virtual desktop, right? Wrong. We are going to get to that magic, but we have got a bit of configuring to do first. To auto-map smart card readers like the Reiner SCT or Omnikey devices into virtual desktops we need:
- USB redirection must be allowed
- A redirection rule for the device type smart card via Citrix policies
- A redirection rule for the device type smart card on the end user device
- The USB redirection module must be enabled on the end user device (applies to some Linux thin clients)
- Smart card hooks may have to be removed on the virtual desktop
- The Windows Smart Card service needs to be started
The following chapters elaborate on these points.
Allow USB Device Redirection
Configure a Citrix user policy to allow USB device redirection by setting ICA -> USB Devices -> Client USB device redirection to allowed.
Smart Card Redirection Rule in Citrix Policies
Add a redirection rule for smart cards to the Citrix policy setting ICA -> USB Devices -> Client USB device redirection rules:
Allow: Class=0b # smart cards
Make sure there is no deny rule overriding it.
Smart Card Redirection Rule on the End User Device
Funnily, some people seem to think that smart card readers are typically used on the end user’s device, not the virtual desktop. While this just might be true for fat clients it is downright ridiculous for thin clients. When I connect a smart card reader to a thin client I most definitely want to use it in the remote session, not on the device itself.
However, the thinking that the endpoint comes first has led to the situation that the ICA client also has redirection rules. In contrast to the rules in the Citrix policy the endpoint’s rules are even preconfigured, and in such a way that redirection of smart card readers is disabled. Obviously, we need to get rid of this.
Thin Clients with Linux ICA Client (Citrix Receiver)
USB redirection rules are stored in the file usb.conf which is located in the directory /setup/ica on Fujitsu eLux thin clients. The default content of usb.conf includes the line:
DENY: class=0b # Smartcard
Either delete that line or comment it out by putting a hash (#) in front of DENY.
Windows ICA Client (Citrix Receiver)
On a Windows machine USB redirection rules are stored in the registry value HKLM\Software\Citrix\ICA Client\GenericUSB\DeviceRules. The format of that multiline string is identical to the file usb.conf on Linux. As described above locate the entry that denies smart card redirection and either delete it or comment it out.
Enable USB Redirection Module (Linux Thin Clients)
Some Linux thin clients have a modular ICA client. Thus it is possible that the component for accessing XenApp and XenDesktop is installed, but the HDX Plug-n-Play module is missing. In case of eLux make sure to install HDX Plug-n-Play USB 2.0.
Optionally Remove Smart Card Hooks
If you have followed the steps above you have done everything that is required to get smart card readers working in your virtual desktops – theoretically. In practice it can happen that the readers do not work reliably. In that case Citrix’s smart card hooks may interfere with the redirection. This can be resolved by deleting the hooks. To do that delete the following registry keys on the virtual desktop:
- HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook [32-bit and 64-bit systems]
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook [64-bit systems]
Windows Smart Card Service
Make sure the Windows Smart Card service is started on the virtual desktops or all of the above will have no effect.
Tested Platforms and Devices
I have tested this configuration with Citrix XenDesktop 5.6. The virtual desktops were running Windows 7 x64 with the XenDesktop VDA 5.6.200. Smart card readers tested were Reiner SCT cyberJack e-com and Omnikey CardMan 3121.
More Information
CTX132716: Case Study: Preventing or Allowing Mapping of Specific USB Devices to Virtual Desktops
CTX129558: How to Redirect USB Devices in XenDesktop
25 Comments
Hi Helge, The scenario you have mentioned above is not supported by Citrix. Smartcard uses it’s own VS and re-directing it as a USB device is not supported as it could break other functionality. By default, if you have Smartcard driver (CSP, etc not reader driver) then Smartcard will automatically detected inside VDA session. I am not sure what is the use-case you are addressing here…mail me on my id if you need more info around this topic. I haven’t seen a single use-case till now where SC Reader direction is require but seen issue when user try to use it as USB devices as it breaks whole PC\SC subsytem (Citrix has its own PC\SC subsytem that works perfectly by default).
If you have an alternative configuration where Reiner SCT’s test program detects their reader successfully on the virtual desktop please post detailed instructions here.
Hi Lalit,
We have XD 5.6 and I found the smartcard reader would not redirect/pass-through from the client device (test with both standard Windows desktop and IGEL Linux thin client) without enabling USB redirection and allowing smartcard redirection via HDX User policy – I also had to remove the Smart Card hooks from the registry per Helge’s blog above. Once this was done the USB smartcard reader succesfully redirected and installed inside the XenDesktop.
However, someone else previously setup another XD 5.6 configuration where the USB smartcard reader and smartcard seem to pass directly through to the XenDesktop – in this setup nothing is installed on the XenDesktop and the smartcard is available simultaneously on both the client desktop and XenDesktop (note: when using the USB redirection per Helge’s blog the smartcard reader disappears from the client desktop and is installed directly in the XenDesktop).
It seems to me there are 2 completely different configurations available for smartcard redirection/pass-through, but I have not been able to find any documentation to get the smartcard reader and smartcard to pass directly through to the XenDesktop – please can you help? I’ve spent a few hours reading all the Citrix eDocs and they all say smartcards are not redirected by default and this has to be explicitly enabled by policy, but clearly you have found a way to get this working. Thanks.
Mark
Hi Lalit – just to be clear be installed the smartcard driver on the XenDesktop but neither the smartcard or the USB smartcard reader would redirect to XenDesktop without enabling USB redirection and allowing smartcard redirection via HDX User Policy.
Hello,
I agree with what he says Lalit. Not necessary redirection card reader device. Communicates Citrix virtual channel through the device.
To make it work you need to install the VDA management software or middleware card. The middleware communicates through a specific channel ICA with the reader.
regards
If you don’t enable USB redirection for SmartCard-Readers then they will be automatically available trough the HDX channel. You can see the redirection in the Citrix Director -> Session Details -> HDX. The SmartCard-Reader won’t appear in the Windows Device Manager then. If you enable USB redirection, the HDX channel won’t be used but the device is visible in the Windows Device Manager.
Hi,
great post. I was struggling with that last year and if i would have such post it would be lot easier. Now I have another problem with Smart Card Readers. Cleint wants tu use reader on XenApp. So I was wonderin if it is possible to use it like that. Smart Card connected to thinclient -> redirected to Xendesktop -> redirected to client XenApp ?
It might be possible, but I have not tried that so I cannot say for sure. You will have to test it.
Hi,
I followed your steps and could not get this to work unless I install a third party Smart Card software on the Virtual Desktop image (in this case Active Client). I really wanted to make this work using only the native Win7 smart card support. Any ideas?
Thanks,
Rob
Rob – We use Barclays USB smartcard readers and smartcard which are all use Gemalto middleware and smartcard drivers. If you have middleware/drivers provided by the smartcard manufacturer then I’d recommend just using that.
Smart card pass-through authentication is working in my XenDesktop 5.6 environment, however the VDIs are not writing back to the smart card during the certificate auto renewal process. Any ideas what might be breaking that part of the process?
Hi Helge – firstly thanks for a great blog, I have been referring to this several times over past couple months to get smartcard readers setup – which is now working exactly per your instructions.
We also have a previous XD 5.6 setup by someone who has since left the company where the smartcard reader and smartcard seem to pass directly through from the client to the XD without allowing smartcard redirection and without the smartcard reader installing in XD, but I have been unable to replicate this setup. I’ve been searching for hours on Citrix eDocs and onlne forums but cannot find any documentation to support this setup, everything I can find says that smartcards are not redirected by default and this has to be explictly enabled – exactly per the instructions on your blog.
I’d like to know how Lalit (see above replies to this blog) was able to get the smartcard to automatically detect inside the VDA session. We had already installed the correct smartcard driver on the XenDesktop but the USB smartcard reader was not automatically detected. Please can you let me know how this might be working or put me in contact with Lalit to find out how this is working?
Thanks a lot and keep up the great work!
Mark
Thanks for the great blog posting, Helge.
I’m using .NET smart cards with an ordinary smart card reader. In Device Manager on the local machine, the smart card is displayed as “Gemalto Minidriver for .NET smart card” and the reader “Microsoft USBCCID Smartcard Reader (WUDF)”. After connecting to the XenDesktop resource and selecting “USB” from the XenDesktop Toolbar, the only thing available is “Gemplus USB SmartCard Reader” and it will not attach.
There are a number of questions here: (1) XenDesktop obviously sees the smart card reader and has successfully made it “available” in the USB section – why will it not attach? (2) It is available as “Gemplus USB Smart Card Reader” and yet Device Manager has called it something else entirely. Why? (3) The reader only appears in the list if it’s connected after opening the session.
George.
Hey , Have you tried using IGEL UDC v5.1.110 and smart card readers while accessing your citrix enviroment both xendesktop and xenapps ?Been having an issue with smart card readers being plugged in and not being able to login . Had no issue with V4.12.100 udc but now i am seeing issue on v5 .
Hi,
Our customer has xen desktop enviroment with 1400 clients. Customer want to use smart card to login a web base application. Dont want to use it to login the thin client or virtual desktop. I did some changes on xen desktop policies and wyse end point manager.BUt couldnt see smartcard on device manager as a pass throught device.I need help abut this issue. Projects future depend on it.Thanks.
Hi,
You will not see the redirected smartcard in a sessions device manager. This is by design.
Hi, nice post! We use card readers for the Isabel banking system with a mix of Windows PC’s and thin clients. I couldn’t get the smart cards to pass through to XenDesktop 7.6 until found this article and removed the smart card hooks as detailed. It’s now working like a charm! Thanks.
Thanks for the instructions
I use Gemalto card readers. The reader redirects into Xenapp 7.6 ok when connected to a thin client but not when plugged into a PC or laptop? Any ideas?
Dear All,
We are using omnikey 3121 smart card reader to capture data from civil id (smart card ) in java based web application.
Its working fine locally in rdp session on xenapp server.When i try it from citrix session i am not able to capture all details of civil id(partial details aregetting displayed). Please help
Hi same issue than Mahammad…
RDP works fine but not in ICA…
did you find the solution?
Not sure if anyone is still looking here, but having the same issue, have followed all above but no luck.
iKey 1000 by gemalto, works in RDP not ICA (direct or via Stroefront on XenApp 7.6)
Was trying to see if there was a key to add under HKLM-Software-Citrix-ICA Client – Generic USB – Devices such as AutoRedirect for Smartcards
Any tips welcome! :-)
Hi, I’m using XenDesktop 7.8 and windows 10, but those configurations didn’t work for me. Any one had a problem using win 10 on a VM?
Hello,
Citrix VDI Windows 10, VDA 7.18.
Smart card reader is mapped correctly in Citrix VDI session, software that I use is mPollux DigiSign Client. Software will detect my card as well. When I try to authenticate to specific website within the Citrix VDI session the browser will not detect my card reader. Any advice?
This is how you do the registry part with newer VDAs(and windows 10):
https://support.citrix.com/article/CTX231743
Basically, don’t delete the smarthook keys, do this instead:
Perform the following Registry change for 64bit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook]
“FilePathName”=”C:\\Program Files\\Citrix\\ICAService\\SCardHook.dll”
“Flag”=dword:00000002
“Settings”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook\winlogon.exe]
“HookProcess”=dword:00000001
Perform the following Registry change for 32 bit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook]
“FilePathName”=”C:\\Program Files\\Citrix\\ICAService\\SCardHook64.dll”
“Flag”=dword:00000002
“Settings”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook\winlogon.exe]
“HookProcess”=dword:00000001