27 Mar 2012

Smart Card PIN pass-through not working with Windows 7 client on XenApp

**Issue description
**

While fighting with the Citrix Single Sign On Service (SSONSVR.exe) on Windows 7 using Smart Card based login I had a deeper look at the architecture of SSONSVR service. For those which are not familiar with this component of the Receiver / Online Plugin, it’s basically a Citrix client component which caches the current logon credentials on a Windows based endpoint to enable the pass-through logon feature of XenApp. If a user logs on with username / password, SSONSVR caches the credentials and passes them over to the XenApp server resp. to the WI or WI service site.
Now, if a user logs on to his Windows 7 client using Smart Card interactive logon with PIN, SSONSVR.exe is not invoked and therefore PIN pass through to a XenApp host is not working. Users will receive a RDS logon screen where they have to click on their user account and enter the PIN, which is of course very annoying.

SSONSVR is implemented as a “Network Provider” and called by Winlogon via NPLogonNotify function. Upon a smart card logon the NPLogonNotify process is simply not invoked by Winlogon.exe anymore due to an architecture change of Winlogon within Vista / Windows 7 / 2008 R2.
For more info about that see: http://msdn.microsoft.com/en-us/library/bb905527.aspx and http://support.citrix.com/article/CTX131223

Resolution

Add the following Registry key to your Windows 7 clients:
Key: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
Value Name: SmartCardLogonNotify
Value Type: REG_DWORD
Value Data: 0x1

Logoff and log on using your smart card / PIN, and voilà, here is ssonsvr.exe or ssonsvr.exe*32 process running.
To generally enable SSON and Smart Card PIN Pass Through a few more steps are required.

  • Configure Receiver ADM Policy
    • Enable local user name and password
    • Allow Smart Card Authentication
    • Enable pass-through authentication for PIN
  • Enable Smart Card or Smart Card with pass-through authentication on your WI site
  • Enable “Trust XML Service requests” on the XenApp policy
  • Install required Smart Card drivers and middleware components on the XenApp hosts if using a third party one.

Notice about PIN caching on Windows 7
The Microsoft provided CSP does not support global PIN caching, only a “per process” PIN caching. This means, at the time Receiver starts up and each time Receiver or PNAgent is calling a published resource, the CSP asks for the PIN. This behavior is by design and to get rid of that, you have to use a third-party CSP / Middleware like ActivIdentity, which supports global PIN caching.