Smartcard Authentication

Certificate Authentication

The smartcards discussed here can hold digital certificates (x.509) and corresponding private keys. The private key cannot be read from the card, but it can be used by the card itself for signing and decryption of data.

Ths enables use of what is known as two-factor authentication: the user not only possesses the smartcard, he or she can also prove the knowledge of the smartcard PIN by signing data using the private key stored on the smartcard.

Smartcard Readers

Smartcards are accessed via smartcard readers, using either a contact or contactless interface. The IGEL Third Party Database lists the readers that are supported by the Linux firmware.

PC/SC Resource Manager

The PC/SC Resource Manager is a common Application Programming Interface (API) that is available on Windows and Linux operating systems. It provides a standardized way for applications to handle smartcards and readers.

The PC/SC Resource Manager is active by default in the Linux-based firmware and can be controlled via the Activate PC/SC Daemon parameter on IGEL Setup > Devices > Smartcard > PC/SC or IGEL Setup > Security > Smartcard > PC/SC or IGEL Setup > Security > Smartcard > Services (depending on the firmware version).

Smartcard Middleware

In order to provide a generalized interface to different types of smartcard hardware there is an additional software layer called smartcard middleware.

There are different types of middleware:

 

Windows

Linux

CSP, Cryptographic Service Provider

 

PKCS#11, Public-Key Cryptographic Standards

Some of the smartcard authentication methods require smartcard middleware to be installed on the thin client. The following modules are available as of IGEL Linux 10.04.100:

Content

Active Directory Logon with Smartcard

Citrix Legacy ICA Sessions

Citrix Legacy ICA Sessions with Local Logon Window

Citrix StoreFront

RDP Sessions

Horizon Sessions

Smartcard Authentication in Browser

Citrix XenDesktop Appliance Mode