[THIN] KB: CTX105027 - Overview of the Citrix Support for Smart Card Software
- From: "Jim Kenzig kenzig.com" <jkenzig@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 16 Dec 2004 19:24:57 -0800 (PST)
CTX105027 - Overview of the Citrix Support for Smart Card Software
This document was published at:
http://support.citrix.com/kb/entry.jspa?externalID=CTX105027
Document ID: CTX105027, Created on: Nov 30, 2004, Updated: Dec 16, 2004
Products: Citrix MetaFrame XP 1.0 for Microsoft Windows 2000
Citrix MetaFrame smart card support modifies existing smart card implementation
by hooking on to the Microsoft Windows smart card APIs.
Citrix MetaFrame (with Microsoft Terminal Services) is a true multi-user,
multi-session environment, where multiple instances of the smart card software
are loaded and executed simultaneously.
The smart card software may include:
? A smart card Cryptographic Service Provider (CSP)
? A smart card GINA
? Other smart card user software
? Other smart card administrator software
PC/SC ? Winscard Compatibility
The smart card software must use only the PC/SC interface as opposed to other
interfaces proprietary or standard to the smart card. Citrix MetaFrame only
intercepts the PC/SC interface. It does not replace the standard Microsoft
Winscard.dll
More specifically, Citrix MetaFrame supports only PKCS #11 smart card
applications that do not bypass the PC/SC interface. Many PKCS #11
implementations use interfaces that do bypass PC/SC.
Rather than using global variables, the smart card software must use
per-session variables.
Citrix MetaFrame intercepts PC/SC - Winscard calls. When it intercepts a call,
it uses the Windows Terminal Services interface to determine which Terminal
Services session the call is associated with.
In case the software uses timeouts for smart card operations, these timeouts
must be configurable to deal with possible high network latencies.
The smart card software should support:
? Console smart card logons at the Citrix MetaFrame server itself
? Client smart card logons through an ICA or RDP connection (Winstations)
The smart card software may include a driver for smart card readers, a driver
for smart cards, or both. The driver for the smart card reader must be
installed on the client machine, and the driver for the smart card must be
installed on the Citrix MetaFrame server. It is therefore desirable that these
drivers can be installed separately. If the software supports smart card
console logon at the MetaFrame server, the driver for the smart card reader
must be installed on the MetaFrame server, as usual.
For performance reasons, Citrix MetaFrame by default intercepts smart card
logon only. It does not by default intercept the application usage of smart
cards. Citrix MetaFrame includes the utility SCCONFIG to configure which
applications will use smart cards.
Microsoft Windows 2000 and later versions of Microsoft Windows include a
standard GINA which supports smart card logon. (Refer to Security/Logon
Authentication/Winlogon and GINA in the Microsoft Platform SDK).
If possible, the software should use this standard smart card GINA rather than
implementing an alternative smart card GINA.
However, if you do need to provide an alternative smart card GINA, it should be
implemented as a stub, which is called first, then passes through to the
standard GINA DLL. The Microsoft Platform SDK shows examples of both kinds of
implementations.
The standard GINA for Windows 2000 Advanced Server has multi-user support for
Terminal Services. This multi-user support is needed whether or not Citrix
MetaFrame is used.
The ICA clients use PC/SC software and smart card reader drivers installed on
the client device.
Your smart card software may include components which are installed:
? On the ICA client device
? On the Citrix MetaFrame server
? On other machines (for example, on a machine dedicated to smart card
administration)
Note that the smart card reader device at the workstation side does not need to
be mapped within the session for the authentication to take place while logging
on to a MetaFrame server.
Also, the CSP installed on the Citrix MetaFrame server and corresponding to the
smart card has to be multi-user aware.
More Information
Refer to Microsoft White Paper ? Smart Cards.
http://www.microsoft.com/windows2000/techinfo/howitworks/security/smart.asp
Other related posts:
- » [THIN] KB: CTX105027 - Overview of the Citrix Support for Smart Card Software
