Secure Global Desktop Administration Guide > Applications, documents and hosts > Using smart cards with Windows applications

Using smart cards with Windows applications

Secure Global Desktop allows users to access a smart card reader attached to their client device from applications running on a Windows Server 2003 application server. Users can:

• Log on to a Windows Server 2003 server using a smart card.
• Access the data on a smart card while using an application running on a Windows 2003 Server, for example, to use a certificate for signing or encrypting an e-mail.

Note Windows 2000 Server application servers do not support smart card device redirection.

Supported clients

The following clients support smart cards:

• the Sun Secure Global Desktop Client (the browser-based webtop) on the supported Windows, Linux and Solaris client platforms
• the Native Client for Unix/Linux (the classic webtop) on the supported Linux and Solaris client platforms
• the Native Client for Windows (the classic webtop) on the supported Windows client platforms

Enabling support for smart cards

To enable support for smart cards:

1. Deploy smart cards on the Windows Server 2003 domain.
   • See the Smart card deployment checklist for the main configuration steps.
   • Check that smart card device redirection is enabled for Terminal Services on the Windows Server 2003 (it is by default).
   • Ensure that smart cards are working before introducing Secure Global Desktop.
2. Configure the smart card readers on client devices.
3. On the Array properties panel in Array Manager check that the Secure Global Desktop smart card service is enabled (it is by default).
4. Ensure that the Windows applications that require smart cards use Microsoft RDP as the Windows Protocol (--winproto).
5. On the Application Launch properties panel in Array Manager, check that the Allow smart card authentication box is checked (it is by default) and, if required, change the settings for the Always use smart card box.

Application server authentication dialog settings

The Application Launch properties panel in Array Manager has several attribute which control the behavior of the application server authentication dialog when using the Secure Global Desktop smart card service.

The Allow smart card authentication box controls whether users get the choice of logging in with a smart card or only with a username and password.

The Always use smart card Box attributes allow you to control whether a user's decision to log in with a smart card is remembered (cached) for the next time they log in to that application server and whether they can change this setting. If the box is checked (by the user or by the system), the decision is cached in the application server password cache.

Note Being able to choose an authentication method and/or to cache the smart card decision depends on users having access to the application server authentication dialog. If you disable users ability to use SHIFT + click, this restricts users' access to this dialog.

Configuring smart card readers on client devices

Secure Global Desktop works with Personal Computer/Smart Card (PC/SC)-compliant cards and readers, see the PC/SC Workgroup for details.

Windows clients

On Windows client devices, once the reader (and any required drivers) have been installed on the client, the smart card should be available to Terminal Services sessions running through Secure Global Desktop.

Linux and Solaris clients

On Linux and Solaris clients, a PCSC-Lite library must be installed in order for Secure Global Desktop to communicate with smart card readers. PCSC-Lite provides an interface to the PC/SC framework on UNIX/Linux.

For Linux clients, PCSC-Lite is available from:

• your Linux vendor, for example, for Fedora you can download the package from the Fedora extras site
• the MUSCLE project, http://www.musclecard.com

PCSC-Lite version 1.2.0 or later is required.

For Solaris clients, PCSC-Lite compatible libraries are available in:

• the PC/SC Shim for SCF package
• the Sun Ray PC/SC Bypass package

The PC/SC Shim for SCF package (PCSCshim) allows you to use a PC/SC application with the Solaris Card Framework (SCF) and should work with Sun internal readers and Sun Ray readers. Version 1.1.1 or later is required. The PC/SC Shim is included with Solaris 10. For other Solaris versions, the Shim is available from the MUSCLE project (http://www.musclecard.com).

The Sun Ray PC/SC Bypass package (SUNWsrcbp) provides a PCSC-Lite interface for the Sun Ray reader. Make sure you have the latest patches for Sun Ray Server Software and the latest SUNWsrcbp package.

Secure Global Desktop clients require the PCSC-Lite libpcsclite.so library file. This is normally installed in /usr/lib but it depends on your dynamic linker path. If this file is installed outside of the dynamic linker path or you want to use a different library file, use the TTA_LIB_PCSCLITE environment variable to specify the location. This can be set either in the user's environment or in the login script.

Logging in to Windows Server 2003 with a smart card

1. Log in to Secure Global Desktop.
2. On the webtop, click the link to start the Windows application/desktop.
3. When the application server authentication dialog displays, click Use smart card.
4. To always use a smart card to log in, click the Always use smart card box.
5. When the Windows security dialog displays, insert your smart card.
6. When prompted enter your PIN.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.