5.3 Using pcProx with Citrix

You can configure pcProx to automatically populate the fields on a login dialog box, based on the proximity card. pcProx reads the card, does an LDAP search, figures out which user the card belongs to, puts the username in the Username field, looks up credential data (a tree name context, server name, NMAS sequence, NMAS clearance), places all the data into the login dialog box, then starts the login process.

Unlocking a Citrix session by using the NMAS pcProx sequence does not work. That is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.

Citrix passthrough is not supported if Novell SecureLogin is installed in Novell Client mode because Novell SecureLogin does not store the card details under the ?syspassword variable with pcProx login method.

Scenario 1

pcProx Reader: A doctor walks to a workstation and places his pcProx card on a reader. The doctor logs in without specifying any data. The username comes from eDirectory, and the other data comes from a registry on the local workstation.

Identifying the user based on the badge is a user identification process. It is separate from the authentication process that NMAS handles. The Secure Workstation plug-in plugs in to the NMAS component on the login dialog box. NMAS has its own Active X control on the login dialog box. It contains the username and password field. You sometimes do not see the password field with NMAS because the NMAS client can hide it. That control can use a .dll file, which is a user ID plug-in interface, and request a username from the device.

Thus, the identification process (the user ID plug-in) is separate from authentication. A user can identify himself or herself with the pcProx card and then authenticate with the password. The identification process specifies to Client32 who the user is. The process could be as simple as typing a username. After the user clicks OK, Client32 starts the authentication process, verifying that the user is who he claims to be by making sure that the password is valid.

You can type your username or put your pcProx card on a reader and have the card get your username. After you click OK, NMAS is launched. NMAS does not know or care how you identify yourself (by putting down a pcProx card or typing your username). NMAS runs the login sequence, which might or might not include a proximity card.

Identification and authentication are separate, so that you have the option to authenticate by using a proximity card but you are not required to use one.

Therefore, the pcProx method uses the virtual channel on its own.

Scenario 2

Client32 is running on a Citrix server. Client32 displays a login dialog box, which calls pcProx. pcProx asks who the user is. It uses the virtual channel to communicate with the ICA client. The process calls pcProx method at the ICA client. The pcProx method communicates with the reader.

At that point, the process can access the reader and request the badge number, which is returned to pcProx on the Citrix server. Using LDAP, PCProx communicates with eDirectory and gets the user ID, sends the badge number to LDAP, and passes the data back to Client32. The user is identified. Then the authentication process begins.