Smart Card PIN pass-through not working with Windows 7 client on XenApp
**Issue description
**
While fighting with the Citrix Single Sign On Service (SSONSVR.exe) on Windows 7 using Smart Card based login I had a deeper look at the architecture of SSONSVR service. For those which are not familiar with this component of the Receiver / Online Plugin, it’s basically a Citrix client component which caches the current logon credentials on a Windows based endpoint to enable the pass-through logon feature of XenApp. If a user logs on with username / password, SSONSVR caches the credentials and passes them over to the XenApp server resp. to the WI or WI service site.
Now, if a user logs on to his Windows 7 client using Smart Card interactive logon with PIN, SSONSVR.exe is not invoked and therefore PIN pass through to a XenApp host is not working. Users will receive a RDS logon screen where they have to click on their user account and enter the PIN, which is of course very annoying.
SSONSVR is implemented as a “Network Provider” and called by Winlogon via NPLogonNotify function. Upon a smart card logon the NPLogonNotify process is simply not invoked by Winlogon.exe anymore due to an architecture change of Winlogon within Vista / Windows 7 / 2008 R2.
For more info about that see: http://msdn.microsoft.com/en-us/library/bb905527.aspx and http://support.citrix.com/article/CTX131223
Resolution
Add the following Registry key to your Windows 7 clients:
Key: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
Value Name: SmartCardLogonNotify
Value Type: REG_DWORD
Value Data: 0x1
Logoff and log on using your smart card / PIN, and voilà, here is ssonsvr.exe or ssonsvr.exe*32 process running.
To generally enable SSON and Smart Card PIN Pass Through a few more steps are required.
-
Configure Receiver ADM Policy
- Enable local user name and password
- Allow Smart Card Authentication
- Enable pass-through authentication for PIN
- Enable local user name and password
- Enable Smart Card or Smart Card with pass-through authentication on your WI site
- Enable “Trust XML Service requests” on the XenApp policy
- Install required Smart Card drivers and middleware components on the XenApp hosts if using a third party one.
Notice about PIN caching on Windows 7
The Microsoft provided CSP does not support global PIN caching, only a “per process” PIN caching. This means, at the time Receiver starts up and each time Receiver or PNAgent is calling a published resource, the CSP asks for the PIN. This behavior is by design and to get rid of that, you have to use a third-party CSP / Middleware like ActivIdentity, which supports global PIN caching.