Reducing PIN Prompts with NetScaler Gateway and Smart Cards
Smart Cards and NetScaler Gateway are a common XenApp/XenDesktop access scenario for many of our customers – especially in the U.S. Federal space where smart card usage has been mandated for most government agencies. One of the most common requests that we get when implementing Smart Cards is to reduce the number of PIN prompts that a user receives before they can get to their Windows applications or desktops. In this article I’m going to outline what configurations result in different PIN prompts, primarily in the context of Windows-based client devices accessing the NetScaler Gateway through a web browser.
Let’s go through the different places where we expect to see a PIN prompt in a non-optimized NetScaler Gateway + Smart Card configuration:
- Authentication to NetScaler. We need to authenticate the user with their PIN + Certificate before we can do anything else on the system. This is accomplished by requiring a client certificate to make the initial SSL connection to NetScaler Gateway.
- ICA Connection to NetScaler. After a user selects a published application or desktop to launch, Citrix Receiver will connect them to the NetScaler Gateway over SSL to begin the ICA session. If the Gateway vServer asks for a client certificate, the user will receive a PIN prompt.
- Windows Authentication to Desktop or XenApp Server. If single sign-on hasn’t been configured, or isn’t available, the Windows machine hosting the application or desktop that we want to connect to will also ask for the user’s PIN to logon.
Some would say that’s a lot of prompts, and I would tend to agree. Most users expect that they authenticate only once with their PIN as this is what they are used to on their traditional local Windows devices.
The good news is…it can be done!
Based on the three PIN prompts above let’s talk about how each one can be handled:
- Authentication to NetScaler. This prompt is normally needed as it allows us to authenticate the user at the NetScaler before allowing them access to internal resources. At a minimum the user will need to select their certificate if their Smart Card is configured with multiple certs. If their PIN is cached by a middleware application from their Windows client logon (like ActivClient), then they won’t need to enter a PIN here. Otherwise we expect both a certificate selection and PIN entry here.
1st Prompt – Removable!
If the client device has middleware that supports and is configured for PIN caching, the user can bypass the PIN prompt for the initial NetScaler Gateway connection.
- ICA connection to NetScaler. This is the easiest prompt to get rid of completely, and just requires that you setup a second NetScaler Gateway vServer that only handles ICA proxy. This NetScaler Gateway will not be configured to prompt for Client Certificate Check, meaning the SSL ICA connection doesn’t need to prompt the user again. At Web Interface we would setup Secure Access to point to this vServer instead of the initial authentication NetScaler Gateway. For information on how to do this in StoreFront using Optimal Gateway Routing, check out Bill Hackley’s blog post :