-
HP implementing Smart Card Authentication with HP Thin Clients
Part 1: VMware View Environment
Table of Contents:
Introduction
........................................................................................................
2 Benefits of an HP Thin Client/Smart Card Solution
............................................ 2
Reference Infrastructure
.......................................................................................
3 Walk Before You Run
......................................................................................
3
Solution Components and
Software......................................................................
4 Client-Side Components:
..................................................................................
4 Required Software:
.........................................................................................
5 Recommended Software
..................................................................................
5
Setup and Installation
..........................................................................................
6 Setting the Stage: Building the Infrastructure
.................................................... 6 What to
Install on the Thin Client and Remote
Desktop...................................... 8 Confirming the
Installation
.............................................................................
12
Resources..........................................................................................................
15 HP
................................................................................................................
15 Gemalto:
......................................................................................................
15 VMware:
......................................................................................................
15
-
2
Introduction This is part 1 of a set of whitepapers devoted to
explaining how to implement a smart card solution with HP thin
clients. The focus for this paper is authentication in a VMware
View 4.0 virtual desktop environment using HP t5740 Thin Clients
running the Microsoft Windows Embedded Standard (WES) operating
system. Future white papers will cover the following: Implementing
in a Citrix XenDesktop 4 virtualization environment Implementing a
smart card solution using HP t5745 Thin Clients running the
HP ThinPro operating system
NOTE The HP t5740 Thin Client is part of the HP Flexible line of
thin clients; it features an Intel Atom N280 1.66GHz processor, 2GB
DDR3 SDRAM, and the WES 2009 operating system.
Benefits of an HP Thin Client/Smart Card Solution In addition to
providing a greater level of data security, HP thin clients, when
used with smart cards, can offer organizations higher productivity,
efficiency, ease of use, and assists with meeting regulatory
compliance. Using smart cards to authenticate users connecting to a
remote desktop environment via HP thin clients is achievable and
cost-effective, though implementation may sometimes be intricate,
depending on your environment. The benefits, however, are
inarguable: Strong authentication: Providing greater security, two
or more factors are
required for authentication. In a smart card system, the two
factors are a smart card inserted into a card reader and Personal
Identification Number (PIN) typed on an input device.
Session mobility: Offering greater efficiency, session mobility
allows users to move from station to station (from one thin client
to another) and log back into the same user desktop environment and
session.
Single sign-on: Providing higher productivity and ease of use,
only a single sign-on and authentication are required to gain
access across the domain. Separate authentication for each domain
entity is not required.
The goal of this paper is to incorporate all of these benefits
into the HP thin client/smart card solution described later in this
paper. Further, this paper lists the specific components required
for an HP thin client/smart card solution. This paper does not
discuss installation of the following infrastructure/services, but
they are required for the thin client/smart card solution to work:
Microsoft Active Directory Domain Controller (AD DC)
environment
Possible use of Group Policy Objects (GPO) to enable propagation
of computer or user policies
Microsoft Public Key Infrastructure (PKI) Designation and
installation of a Certificate Authority Issuance of digital
certificates
-
3
Process for certificate revocation VMware or Citrix virtual
desktop environment
Reference Infrastructure
Walk Before You Run Building a reference infrastructure is the
same as building a pilot, sandbox, or pre-deployment environment.
Although the client-side part of a thin client/smart card solution
is fairly simple, the backend infrastructure is not necessarily so.
The complexities of a full-scale PKI solution integrated into a
domain can be quite complex and could impact the organization
considerably. Furthermore, the level of experience, time, and
knowledge-level required to install, maintain, and troubleshoot
this type of environment need to be thoroughly planned and
understood. Along these lines, we strongly recommend testing and
evaluating a reference infrastructure before deploying a full-scale
PKI solution, assuming either that an infrastructure does not
currently exist or that the objective is to first evaluate a smart
card solution. The reference infrastructure should be a
self-contained, experimental environment that includes a
rudimentary, but fully operational, enterprise environment. We also
recommended consulting the Gemalto documentation, Gemalto .NET 2.0
Smart CardCertificate Enrollment using Microsoft Certificate
Services, to help understand installing the Microsoft Certificate
Services within this solution. The following figure illustrates a
simple model of the proposed referenced infrastructure:
-
4
Solution Components and Software Three physical client-side
components and two software applications are required for this
smart card solution.
NOTE Authentication and connection to a VMware View environment
is possible with the View client version 3.0 installed in the HP
t5740 Thin Client running the WES operating system. To obtain the
benefit of single sign on, however, we recommend downloading and
installing the View 4.0 client from the VMware View Web site. For
the purposes of this paper, we are using the 4.0 version.
The smart card reader prescribed here is a USB, contact type
reader manufactured by Gemalto. This card reader is connected to
one of the USB ports on the HP t5740 Thin Client; authentication is
initiated when the smart card is inserted into the card reader.
Client-Side Components: Smart card reader:
Gemalto PC USBTR Card Reader o P/N: HWP117685 o Info:
Smart card: http://www.gemalto.com
Gemalto .NET v2+ Smart Card o P/N: HWP115647C (white card) o
P/N: HWP115303B (orange card) o Info:
Thin client:
http://www.gemalto.com/products/dotnet_card/index.html
HP t5740 thin client o
http://h10010.www1.hp.com/wwpc/us/en/sm/WF25a/12454-
12454-321959-338927-3640406-3996155.html
-
5
Required Software: Gemalto Card Reader Driver:
Download from http://support.gemalto.com/?id=46
Version: 4.0.8 (as of the writing of the paper). Although not
specifically stated, this driver will work with the HP t5740 Thin
Client running the WES operating system.
Microsoft: The Microsoft base smart card cryptographic service
provider (Base CSP)
download:
Recommended Software
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8095fd5-c7e5-4bee-9577-2ea6b45b41c6&displaylang=en
VMware: Download the trial version of View 4 at their Web
site:
https://www.VMware.com/tryVMware/?p=view4&lp=1
-
6
Setup and Installation
Setting the Stage: Building the Infrastructure Several stages
and support documents are required to construct the reference
infrastructure proposed in Reference Infrastructure. The following
steps are a general guide to get the backend up and running. The
next section, What to Install on the Thin Client and Remote
Desktop, covers what to install on the thin client itself to
support the smart card reader and the ability to authenticate
properly, as well as what should be done on the remote desktop. The
most important factor, however, in ensuring success is the
precision of the backend server settings. Enough authoritative
documentation exists on how to build each of these services, so we
do not intend to rewrite or supersede those primary references. 1.
Build the VMware environment complete with the necessary virtual
machines
(VMs). 2. Setup a stand-alone Certificate Authority on the
domain controller VM.
Use the Gemalto document Gemalto .NET 2.0 Smart CardCertificate
Enrollment using Microsoft Certificate Services as a guide.
3. Issue a Smart Card User/Logon Certificate for one of the
domain users. The certificate will be installed onto the users
smart card. Use the Gemalto document Gemalto .NET 2.0 Smart
CardCertificate
Enrollment using Microsoft Certificate Services as a guide. 4.
Set up the View Server for smart card authentication according to
the following
guide: View Manager 4.0.1Administration Guide
-
7
5. Change the Default display protocol from PCoIP to Microsoft
RDP on the Desktop/Pool Settings page under Display Protocol.
NOTE At the time of this paper, PCoIP does not support smart
card authentication.
6. Consider setting the following Group Policies to enable
disconnecting users upon removal of the smart card. These optional
Group Policy settings can model the connection interaction between
the remote desktop and local client: GPO:
o Computer Configuration o Windows Settings o Security Settings
o Local Policies o Security Options
Policy: o Interactive logon: Smart card removal behavior
Select from the following settings: Security Setting:
o Lock Workstation o Force Logoff
or
-
8
o Disconnect if a Remote Terminal Services Session. The
following explanation is taken from the policy itself:
If you click Lock Workstation in the Properties dialog box for
this policy, the workstation is locked when the smart card is
removed, allowing users to leave the area, take their smart card
with them, and still maintain a protected session. If you click
Force Logoff in the Properties dialog box for this policy, the user
is automatically logged off when the smart card is removed. If you
click Disconnect if a remote Terminal Services session, removal of
the smart card disconnects the session without logging the user
off. This allows the user to insert the smart card and resume the
session later, or at another smart card reader-equipped terminal,
without having to log on again. Default: No action specified.
What to Install on the Thin Client and Remote Desktop This
section describes the procedure for performing the following steps:
Installing the required software onto the thin client Connecting
the smart card reader to the thin client Installing the required
software onto the remote desktop Joining them to the domain
1. Connect a keyboard, a mouse, and the power supply to the thin
client. 2. Connect the thin client to the reference network. 3.
After power-on, the thin client boots up into a generic user login.
4. After logging into the local user, log out and log back in as
the local
administrator. It is possible to log in as the local
administrator from a reboot or power-on by pressing and holding the
shift key just as the system initiates operating system
services.
-
9
5. Log in as the local Administrator as follows: a. Log out
while holding the shift key. Continue holding the shift key it
until the
following logon screen appears.
b. Log in as the local administrator with the password
Administrator (the password is case sensitive).
6. While logged on as the local administrator, perform the
following steps, but do not reboot: a. Install the Microsoft Base
CSP. b. Install the Gemalto smart card driver software. c. Plug in
the card reader.
o Once the device is connected, open Device Manager and verify
that the USB SmartCard Reader device is installed properly.
o If it is not installed properly, as shown below, you might
have to find it by browsing to its related miniport driver,
GemCCID.sys, and then install it manually.
-
10
o When properly installed, the smart card reader device appears
as follows:
d. Change the Computer Name. e. Join the computer to the
domain.
-
11
f. Before rebooting, commit the changes with the Enhanced Write
Filter utility. o Right-click on the green lock icon in the system
tray and selecting
Commit EWF(C), as shown below.
NOTE No changes are made to the thin client operating system
until they are committed to the write filter. Local users are
restricted from making changes to the operating system, as they
have no permissions with the write filter utility.
7. On the remote desktop(s), perform the following: a. Install
the Microsoft Base CSP. b. Install the card reader driver. c.
Change the Computer Name. d. Join it to the domain. As involved as
these steps may seem, they are all that is required to setup a card
reader device onto the thin client. The main point to remember is
that both the Microsoft Base CSP and the card reader driver need to
be installed on both the thin client and to any remote desktops
that will be connected. Also, both need to be joined to the domain
after the standalone Certificate Authority is properly set up in
the domain environment.
-
12
Confirming the Installation So now, what does a smart card login
look like? The following basic login flow should confirm that your
installation is working: 1. Plug the smart card reader into the
thin client unit. 2. Turn on the thin client.
The thin client boots up into the typical Ctrl-Alt-Delete
Windows login screen.
After several seconds, the smart card device is added to the
login screen.
3. Insert the smart card into the reader. The login screen
changes to the PIN authentication screen.
-
13
4. Type the appropriate PIN number in the field and press OK or
Enter. The thin client logs into the users WES client desktop.
Known Issue 1 After entering in the PIN and during log-in, the
actual desktop might take some time to appear or may appear to be
stalled in the log-in state. This is in part because the Symantec
Endpoint Protection Agent service is enabled. Type Ctrl-Alt-Delete
to allow the log-in process to finish
Known Issue 2 In some cases, system security software and/or
infrastructure may cause a delay during logon due to blocked ports.
The range of potentially affected ports may not be consistent
within each environment or domain. Depending on your client and
network configuration, you may need to make exceptions and/or
adjust firewall rules according to those specific ports, once they
are identified. Additionally, you may disable the Symantec Firewall
security software and services or bypass the protection as a
temporary troubleshooting measure.
5. Click the View Client to log into the VMware View
environment.
-
14
6. Select the remote desktop to log into from the View Manager
log-in screen.
The smartcard PIN authentication passes through to the remote
desktop, where logging in appears to be automatic.
7. When you are logged into the remote desktop, and if the
interactive smart card Group Policies have been set, you can remove
the smart card from the reader to force a disconnect from the
remote desktop or session. The thin client desktop appears.
Furthermore, Group Policies can be used to model the exact
connectivity flow with the local client and remote desktop to
include logging off of the local thin client as well--this presents
one seamless smart-card interaction. After configuring the device
that is works properly for your environment, it can be used to
create a template for configuring any or all other HP t5740 thin
clients to behave identically. HP Client Automation or HP Device
Manager software provides the ability to distribute that
configuration. For further information go to the following link for
HPDM:
Or for HPCA:
http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/18964-18964-3644431-3646207-3763975-3646216.html?jumpid=reg_R1002_USEN
This concludes the installation and implementation guide for
using HP thin clients with a smart card solution. The following
Resources section provides specific links to information and
administrative guides to all the solution parts described in this
paper.
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-271-272_4000_100__
-
15
Resources
HP HP t5740 Thin ClientOverview and Features
HP t5745 Thin ClientOverview and Features
http://h10010.www1.hp.com/wwpc/us/en/sm/WF25a/12454-12454-321959-338927-3640406-3996155.html
Gemalto:
http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/12454-12454-321959-338927-3640406-3996169.html
Gemalto .NET 2.0 Smart CardCertificate Enrollment using
Microsoft Certificate Services
This is an extremely valuable guide published by Gemalto. This
very concise and well-organized document presents the best overall
coverage, not only pertaining to Gemalto products, but also for the
following:
http://www.gemalto.com/dwnld/5042_070520_WP_Gemalto_.NET_Certificate_Enrollment_using_MSFT_Certificate_Services.pdf
o Using smart cards o Installing Microsoft Certificate Services
o Issuing a user certificate onto a smart card o Testing and
managing smart cards
A central site for obtaining downloads, troubleshooting, and
finding documentation: o
Gemalto .NET card Utilities page: use this site for changing
card PINs, verifying card details, and managing and resetting
installed certificates.
http://support.gemalto.com
o
https://www.netsolutions.gemalto.com/utilities.aspx
o Location to download driver for CCID
http://www.gemalto.com/products/dotnet_card/index.html
o Includes tools for user-level card management o Whitepapers
for implementing Certificate Services
VMware: Smart Cards and Certificate Authentication in VMware
View
View Manager 4.0.1Administration Guide
http://www.VMware.com/files/pdf/view_cert_authentication.pdf
http://www.VMware.com/pdf/view401_admin_guide.pdf
-
16
2010 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the
express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.
Microsoft and Windows are trademarks of Microsoft Corporation in
the U.S. and other countries.
Intel is a trademark of Intel Corporation in the U.S. and other
countries.
633002-001, August 2010
IntroductionBenefits of an HP Thin Client/Smart Card
Solution
Reference InfrastructureWalk Before You Run
Solution Components and SoftwareClient-Side Components:Required
Software:Recommended Software
Setup and InstallationSetting the Stage: Building the
InfrastructureWhat to Install on the Thin Client and Remote
DesktopConfirming the Installation
ResourcesHPGemalto:VMware: