A smart card can be used for multiple applications, such as physical identification, logical identification, data security, digital signature, and file and disk encryption. When a smart card is combined with Novell® SecureLogin, it also enables single sign-on, which increases security and user productivity.
This article provides information about enforcing two-factor authentication with a smart card on a Citrix* server through Novell SecureLogin. The document also covers the procedure for configuring the Citrix server and client, and changes that must be done before the Citrix passthrough.
Novell SecureLogin end users who want to use a smart card (or a USB token), specify the PIN code, and enable a strong authentication method for Citrix passthrough.
The foremost benefits of using the smart card in combination with Novell SecureLogin are explained below:
Ensure that you have completed the following tasks on the Citrix server:
The following deployment environment has been used in the scenarios explained in this document.
To allow a Citrix passthrough, you must do the following:
A. Complete the mandatory tasks.
B. Set up a Citrix Server.
C. Set up a workstation.
The following sections discuss these steps in detail.
A: Mandatory Tasks
1. Ensure that the workstation is in the Active Directory domain.
2. Change the registry settings in the Citrix server as follows:
3. Create the registry key UseCNasWindowsUserInCitrix at HKLM\Software\Novell\Login\Ldap
B: Setting Up the Citrix Server
1. Install Novell SecureLogin on Citrix server and Citrix client in LDAP GINA mode.
2. At the Citrix server, publish an application by using SLLauncher.exe. For example, passwordtest.exe.
3. Log in to Novell SecureLogin as an admin user who is configured with out smart card support.
C: Setting Up the Workstation
1. Log in to Novell SecureLogin as “user3” who is configured to store the credentials on the smart card.
2. Select the NT domain (Citrix server) in the LDAP GINA.
3. From client workstation invoke the above published application by using the ICA Citrix client.
4. Specify the PIN after login.
The passthrough happens successfully, and the Password Test application launches.
Using a smart card for Citrix passthrough provides additional security for the user session.
The single sign-on data is stored on the smart card and also on the eDirectory for all the operations performed in the Citrix session.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.