Question: Is it possible to enable smartcard logins on virtual RHEL servers deployed through Citrix Virtual Delivery Agent (VDA)?


Answer: Yes, starting with the Centrify Infrastructure Services 19.9 Release (CentrifyDC version 5.6.1), this is now possible. Centrify has made some improvements to the sctool program and has also developed a "sctool_pkinit" module to facilitate the integration with Citrix VDA.



Note: While this is a great improvement to the product, there are some limitations that customers should be aware of. Please see below:

1. Citrix Linux VDA does not support session locking behavior on smart card removal
ref: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration/pass-through-authentication-with-smart-cards-.html#smart-card-removal-policy

Customers may want to consider configuring the "Interactive logon: Smart card removal behavior" group policy for the Windows machines where Citrix Receiver are running.

2. Citrix Linux VDA sessions by default will disable automatic screen lock. However users are still able to manually lock the session, but once a user locks the session, it cannot be unlocked using smart card. It is believed that this is the current limitation of Citrix VDA that the unlocking service (gdm-smartcard) does not share the "smart card context" with the user session.

3. It has been discovered that a user session may be able to access a smart card associated with another Citrix VDA session by guessing the CITRIX_SESSION_ID environment variable.
For example,

• Suppose that userA has logged in to Citrix Linux VDA desktop using smart card, and has "CITRIX_SESSION_ID=7" set in environment,
• Then another userB that is also logged in to the same Linux system, can easily guess the Citrix session ID,
  If userB does the following:
  $ export CITRIX_SESSION_ID=7
  $ sctool -D
  then sctool would prompt for PIN, and if the correct PIN is provided, userB is able to access the certificates on the smart card, without physical possession of the card.