Secure Global Desktop 4.40 Administration Guide > Applications, Documents, and Application Servers > Using Smart Cards With Windows Applications

Using Smart Cards With Windows Applications

SGD allows users to access a smart card reader attached to their client device from applications running on a Microsoft Windows Server 2003 application server. Users can do the following:

• Log on to a Microsoft Windows Server 2003 server using a smart card
• Access the data on a smart card while using an application running on a Microsoft Windows 2003 Server, for example, to use a certificate for signing or encrypting an e-mail

Note Microsoft Windows 2000 Server application servers do not support smart card device redirection.

The Secure Global Desktop Release Notes has details of the smart cards that have been tested successfully with SGD.

Enabling Support for Smart Cards

You enable support for smart cards as follows

1. Deploy smart cards on the Microsoft Windows Server 2003 domain.
   • See the Smart card deployment checklist for the main configuration steps.
   • Check that smart card device redirection is enabled for Terminal Services on the Microsoft Windows Server 2003 (it is by default).
   • Ensure that smart cards are working before introducing SGD.
2. Configure the smart card readers on client devices.
3. Check that the SGD smart card service is enabled.

   The smart card service is enabled by default.

   In the SGD Administration Console, on the Global Settings » Client Device tab, ensure the Smart Card check box is selected.

4. Ensure that the Windows applications that require smart cards use Microsoft RDP Protocol as the Windows Protocol (--winproto).
5. Ensure that smart card authentication is enabled.

   Smart card authentication is enabled by default.

   In the SGD Administration Console, on the Global Settings » Application Authentication tab, ensure the Smart Card Authentication check box is selected.

   The Global Settings » Application Authentication tab has other settings that affect the behavior of the Always Use Smart Card check box on on the Application Server Authentication dialog.

Application Server Authentication Dialog Settings

In the SGD Administration Console, the Global Settings » Application Authentication tab has several attributes that control the behavior of the Application Server Authentication dialog when using the SGD smart card service.

The Smart Card Authentication check box controls whether users get the choice of logging in with a smart card or only with a user name and password.

The "Always Use Smart Card" Box attributes allow you to control whether a user's decision to log in with a smart card is remembered (cached) for the next time they log in to that application server and whether they can change this setting.

Note Users can only choose an authentication method or to cache the smart card decision if they access to the Application Server Authentication dialog. If you disable users' ability to use SHIFT + click, this restricts users' access to this dialog.

Configuring Smart Card Readers on Client Devices

SGD works with Personal Computer/Smart Card (PC/SC)-compliant cards and readers, see the PC/SC Workgroup for details.

Microsoft Windows Client Devices

On Microsoft Windows client devices, you must install the smart card reader and any required drivers on the client device in order to make the smart card available to Terminal Services sessions running through SGD.

Linux Platform and Solaris OS Client Devices

On Linux platform and Solaris OS client devices, a PCSC-Lite library must be installed in order for SGD to communicate with smart card readers. PCSC-Lite provides an interface to the PC/SC framework on UNIX and Linux platforms.

For Linux platform client devices, PCSC-Lite is available from the following locations:

• Your Linux platform vendor, for example, for Fedora you can download the package from the Fedora extras site
• The MUSCLE project, http://www.musclecard.com

PCSC-Lite version 1.2.0 or later is required.

For Solaris OS client devices, PCSC-Lite compatible libraries are available in the following packages:

• The PC/SC Shim for SCF package (PCSCshim)
• The Sun Ray PC/SC Bypass package (SUNWsrcbp)

The PC/SC Shim for SCF package allows you to use a PC/SC application with the Solaris Card Framework (SCF) and work with Sun internal readers and Sun Ray readers. Version 1.1.1 or later is required. The PC/SC Shim is included with Solaris 10. For other Solaris versions, the PC/SC Shim is available from the MUSCLE project (http://www.musclecard.com).

The Sun Ray PC/SC Bypass package provides a PCSC-Lite interface for the Sun Ray reader. Make sure you have the latest patches for Sun Ray Server Software and the latest SUNWsrcbp package.

SGD clients require the PCSC-Lite libpcsclite.so library file. This is normally installed in /usr/lib but it depends on your dynamic linker path. If this file is installed outside of the dynamic linker path or you want to use a different library file, use the TTA_LIB_PCSCLITE environment variable to specify the location. This can be set either in the user's environment or in the login script.

Logging in to a Microsoft Windows Server 2003 With a Smart Card

1. Log in to SGD.
2. On the webtop, click the link to start the Windows application.
3. When the Application Server Authentication dialog displays, click Use smart card.
4. To always use a smart card to log in, click the Always use smart card box.
5. When the Windows security dialog displays, insert your smart card.
6. When prompted enter your PIN.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.