This section describes how to configure smart cards for Windows applications displayed through SGD.
SGD enables users to access a smart card reader attached to their client device from applications running on a Windows application server. Users can do the following:
Use a smart card to log in to a Windows application server.
Access the data on a smart card while using an application running on a Windows application server. For example, to use a certificate for signing or encrypting an email.
Using smart cards with Windows applications is not supported for tablet devices.
SGD works with any Personal Computer/Smart Card (PC/SC)-compliant smart card and reader. Details of the smart cards that have been tested successfully with SGD are listed in the Oracle Secure Global Desktop Platform Support and Release Notes.
SGD Administrators can give users access to smart card readers from Windows applications displayed through SGD. Setting up access to smart cards involves the following configuration steps:
Enable smart card services on the application server.
See Section 5.5.3, “Configuring the Microsoft Windows Application Server for Smart Cards”.
Enable access to smart cards for SGD users.
Configure a smart card reader on the client device.
See Section 5.5.5, “Configuring Smart Card Readers on Client Devices”.
Log in to the application server using the smart card.
See Section 5.5.6, “Logging In to a Microsoft Windows Application Server With a Smart Card”.
To configure the Microsoft Windows application server for smart cards, do the following:
Deploy smart cards on the Microsoft Windows Server domain.
Check that smart card device redirection is enabled on the Windows Remote Desktop Session Host. See Section 4.1.3, “Configuring Microsoft Windows Remote Desktop Services for Use With SGD” for details of the Windows platforms that support smart card device redirection.
Ensure that smart cards are working before introducing SGD.
In the Administration Console, the Global Settings, Application Authentication tab has several attributes that control the behavior of the Application Server Authentication dialog box when using the SGD smart card service.
The Smart Card Authentication check box controls whether users get the choice of logging in with a smart card or only with a user name and password.
The "Always Use Smart Card" Box attributes enable you to control whether a user's decision to log in with a smart card is remembered, or cached, for the next time they log in to that application server, and whether they can change this setting.
Users can only choose an authentication method, or to cache the smart card decision, if they have access to the Application Server Authentication dialog box. If you disable the ability to use Shift-click, this restricts user access to the Application Server Authentication dialog box. See Section 4.9.1.6, “Users Can Start Applications With Different User Names and Passwords”.
SGD must be configured in order to support user access to smart cards.
Firewalls between SGD servers can interfere with the connections required for smart cards, see Section 1.4.2, “Firewalls Between SGD Servers”.
Check that the SGD smart card service is enabled.
In the Administration Console, go to the Global Settings, Client Device tab and ensure the Smart Card check box is selected.
The smart card service is enabled by default.
Ensure that smart card authentication is enabled.
Smart card authentication is enabled by default.
In the Administration Console, go to the Global Settings, Application Authentication tab, ensure the Smart Card Authentication check box is selected.
The Global Settings, Application Authentication tab has other settings that affect the behavior of the Always Use Smart Card check box on the Application Server Authentication dialog box. See Section 5.5.3.1, “Application Server Authentication Dialog Box Settings”.
SGD works with PC/SC-compliant cards and readers.
Supported smart cards and readers are described in the Oracle Secure Global Desktop Platform Support and Release Notes.
Smart card readers are not supported for tablet devices.
On Microsoft Windows client devices, you must install the smart card reader and any required drivers on the client device to make the smart card available to Remote Desktop Services sessions running through SGD.
On Linux platform and Oracle Solaris client devices, a PCSC-Lite library must be installed for SGD to communicate with smart card readers. PCSC-Lite provides an interface to the PC/SC framework on UNIX and Linux platforms.
For Linux platform client devices, PCSC-Lite is available from the Linux platform vendor. PCSC-Lite version 1.2.0 or later is required.
For Oracle Solaris client devices, PCSC-Lite compatible libraries are available in the following packages:
The PC/SC Shim for SCF package (
PCSCshim)The Sun Ray PC/SC Bypass package (
SUNWsrcbp)
The PC/SC Shim for SCF package enables you to use a PC/SC application with the Solaris Card Framework (SCF) and work with Sun internal readers and Sun Ray readers. Version 1.1.1 or later is required. PC/SC Shim is included with Oracle Solaris.
The Sun Ray PC/SC Bypass package provides a PCSC-Lite
interface for the Ray reader. Make sure you have the latest
patches for Sun Ray Software and the latest
SUNWsrcbp package.
SGD clients require the PCSC-Lite
libpcsclite.so library file. This is
normally installed in /usr/lib, but the
location depends on your dynamic linker path. If this file is
installed outside of the dynamic linker path, or you want to
use a different library file, use the
TTA_LIB_PCSCLITE environment variable to
specify the location. This can be set either in the user's
environment or in the login script.
Log in to SGD.
On the workspace, click the link to start the Windows application.
When the Application Server Authentication dialog box displays, click Use smart card.
To always use a smart card to log in, click the Always use smart card box.
When the Windows security dialog box displays, insert your smart card.
When prompted, enter your PIN.
For information about configuring SGD to use smart cards with Windows applications see Section 5.5.1, “Using Smart Cards With Windows Applications”.
If users find they are unable to use their smart cards with Windows applications, use the following checklist to resolve the problem.
Questions
5.5.7.1: Is smart card device redirection enabled on the Windows Remote Desktop Session Host?
5.5.7.2: Are smart card services enabled for all SGD servers in the array?
5.5.7.3: Is there a firewall between the SGD server hosting the user session and the SGD server hosting the application session?
5.5.7.4: Is the client device configured correctly?
5.5.7.5: Are there any error messages listed in the log file?
Questions and Answers
5.5.7.1: Is smart card device redirection enabled on the Windows Remote Desktop Session Host?
You can only use smart cards if smart card device redirection is enabled on the Windows Remote Desktop Session Host. See Section 4.1.3, “Configuring Microsoft Windows Remote Desktop Services for Use With SGD” for details of the Windows platforms that support smart card device redirection.
5.5.7.2: Are smart card services enabled for all SGD servers in the array?
In the Administration Console, go to the Global Settings, Client Device tab and ensure the Smart Card check box is selected.
In the Administration Console, go to the Global Settings, Application Authentication tab and ensure the Smart Card Authentication check box is selected.
5.5.7.3: Is there a firewall between the SGD server hosting the user session and the SGD server hosting the application session?
Firewalls between SGD servers can interfere with smart card connections, seeSection 1.4.2, “Firewalls Between SGD Servers”.
5.5.7.4: Is the client device configured correctly?
On Microsoft Windows client platforms, do the following:
Check that the smart card reader is listed in the Windows Device Manager.
Check that the smart card service is running on the client. Click Start Menu, Programs, Administrative Tools, Services.
Check that the SGD Client has detected the smart card reader and card. Click the right mouse button on the SGD icon in the Windows system tray and select Connection info. The Smart card reader property lists the details in the format
reader:ATR_stringwherereaderis the manufacturer and model of the smart card reader andATR_stringis the Automatic Terminal Recognition (ATR) string, a sequence of hexadecimal numbers used to identify the card to the system.
On Linux platforms, do the following:
Check that the PCSC daemon,
pcscd, is running. For example, you can use the following command:# /sbin/service pcscd status
Try restarting the PCSC daemon with a
--debug stdoutoption. Insert the smart card in the reader and see if the reader and card are detected.
On Oracle Solaris platforms, do the following:
If you are using the PC/SC Shim for SCF package, check that the OCF server,
ocfserv, is running. If the OCF server is not running, use the following command to enable the OCF server:# svcadm enable svc:/network/rpc/ocfserv
If you are using the Sun Ray PC/SC Bypass package, check the Sun Ray Software configuration.
5.5.7.5: Are there any error messages listed in the log file?
Smart card device access data and error messages are stored in the SGD Client log file. This data is displayed in the Detailed Diagnostics page of the SGD workspace.