On the example of Avtor CryptoCard337 smart cards, HP T430 thin client based on ThinPro and VMware Horizon 2103
We assume that the steps with installing and configuring Certificate Services have been completed and Group Policy is enabled for domain logon upon presentation of a smart card.
Setting up a thin client
Preparing the HP ThinPro OS for Installing Smart Card Drivers:
Updates and drivers can be installed on HP T430 thin clients either locally or centrally using Device Manager.
OS upgrade to version not lower than ThinPro 7.1 SP 17.4 from the repository.
Upgrading the Horizon View client to version 2012 or later from the repository.
Updating the Firefox browser to version 78.12.0 or later from the repository.
Updating the terminal client to a version not lower than tterm-2.0.0hp2a from the repository.
Installing drivers from a smart card AVTOR Avtor CryptoCard337.
Download drivers from the manufacturer’s official website. Specifically in our case it is http://my.avtor.ua/Account/Login (login: linux337; password: 12345678). It is recommended to install the avtor-tools_1.2.0_amd64.deb package for a 64-bit OS version.
Write the drivers to a USB drive. The media must be formatted in FAT32.
Switch to “Administrator” mode on the HP T430 Thin Client.
Launch the X-Terminal program.
In the terminal, execute the command fsunlock…
6. Insert the USB flash drive with the drivers into the USB port of the HP T430 Thin Client. A window should appear with a choice of installing files with the * .deb extension that are on the media (Update via USB). If the window does not appear, restart the device and start over from step 3.
7. Select the required driver.
8. Click “Install”.
9. After the message about the completion of the installation, select the “Show details” checkbox and check the correctness of the drivers installation.
10. Reboot the device.
After these steps, the thin client will work correctly with the smart card.
2. Configuring VMware Horizon
Assumes the use of an OS of the MS Windows family compatible with the software VMware Horizon, as well as with drivers from a smart card. There is a working public key infrastructure (PKI).
VMware Horizon must be installed and configured as required. It is recommended to enter the Horizon View Connection Server and end stations into the BP domain. For transparent authentication using a PKI card to work, it is necessary to install the AVTOR CC337 drivers for MS Windows on the server where the Horizon View Connection Server is installed and on the end stations (manufacturer’s website http://my.avtor.ua/Account/Login (login: RSA; password: 12345678, download the file AvtorCc337Md_Setup.msi.zip).
Link to concise instruction https://docs.vmware.com/en/VMware-Horizon/index.html Select the desired version of VMware Horizon, then go to the “Horizon Administration” section and select “Setting Up Smart Card Authentication” in it).
Configuring certificates. Export the root certificate (Obtain the CA Certificate from Windows)
Open the Certification Authority on the root CA by running certsrv.msc
2. Open the window Certification Authority -> CA Name -> Properties
On the General tab, select the root certificate and click the View Certificate button
3. Go to the Details tab and click the Copy to File button
4. On the file format selection page, select Base-64 encoded X.509 (.CER)…
5. Specify the export path for the file, for example, C: temp RootCA.cer.
Import the root certificate into VMware Horizon (Add the CA Certificate to a Server Truststore File).
On server VMware Horizon open a command prompt and change to the directory with the utility keytool.exe (C: Program Files VMware VMware View Server jre bin).
2. Import the prepared root certificate into the storage file using the command: keytool -import – alias alias -file root_certificate -keystore truststorefile.key -storetype JKS, where alias is an alias (any value), root_certificate is the full path to the certificate file, truststorefile.key is the name of the storage file, storetype is the storage type. During the import process, you will need to enter a passphrase to protect the store and confirm that you trust the certificate.
3. File storage truststorefile.key must be copied to the SSL Gateway directory: install_directory VMware VMware View Server sslgateway conf.
4. In the SSL Gateway directory (install_directory VMware VMware View Server sslgateway conf), create a file named locked.properties and edit it (in notepad for example) to the following content:
trustKeyfile = truststorefile.key
trustStoretype = jks
useCertAuth = true
Save the file and restart the Horizon View Connection Server service.
Configure Smart Card Settings in Horizon Console
Go to the VMware Horizon Web Console.
Go to server properties: Inventory -> View Configuration -> Servers -> Connections Servers -> Edit.
Go to the Authentication tab and select your preferred authentication mode. Authentication to the administrative console using a smart card is configured from the Smart card authentication for administrators drop-down list:
Not Allowed – do not use a smart card;
Optional – mixed authentication (either by password or by smart card);
Required – mandatory use of a smart card.
User authentication in VDI by smart card is configured from the Smart card authentication for users drop-down list. Option “Disconnect user sessions on smart card removal“defines the policy when the smart card is disconnected. Check the box if it is necessary to disconnect the session when the smart card is removed.
Login to the administration console
1. Insert the smart card and go to the administration console.
2. In the login form window that appears, select the administrator certificate and click the OK button.
3. You will be asked to enter your PIN. After successful PIN verification, authentication to the Web interface will be performed.
Configuring smart card forwarding in guest VMs
User smart card forwarding allows transparent authentication to the virtual machine with a PIN code entry once. When using Windows, macOS, Linux OS as the target virtual machine, you need to install VMware View Agent with Smartcard Redirection enabled.
Thin Client Smart Card Authentication
Launch VMware Horizon Client and select a connection
2. You will be asked to enter your PIN.
3. After successful authentication, the available resources will be displayed.