HP implementing Smart Card Authentication with HP Thin Clients

Part 1: VMware View Environment

Table of Contents:
Introduction ........................................................................................................ 2 Benefits of an HP Thin Client/Smart Card Solution ............................................ 2 Reference Infrastructure ....................................................................................... 3 Walk Before You Run ...................................................................................... 3 Solution Components and Software...................................................................... 4 Client-Side Components: .................................................................................. 4 Required Software: ......................................................................................... 5 Recommended Software .................................................................................. 5 Setup and Installation .......................................................................................... 6 Setting the Stage: Building the Infrastructure .................................................... 6 What to Install on the Thin Client and Remote Desktop......................................8 Confirming the Installation ............................................................................. 12 Resources.......................................................................................................... 15 HP ................................................................................................................ 15 Gemalto: ...................................................................................................... 15 VMware: ...................................................................................................... 15

Introduction
This is part 1 of a set of whitepapers devoted to explaining how to implement a smart card solution with HP thin clients. The focus for this paper is authentication in a VMware View 4.0 virtual desktop environment using HP t5740 Thin Clients running the Microsoft Windows Embedded Standard (WES) operating system. Future white papers will cover the following: Implementing in a Citrix XenDesktop 4 virtualization environment Implementing a smart card solution using HP t5745 Thin Clients running the HP ThinPro operating system

NOTE
The HP t5740 Thin Client is part of the HP Flexible line of thin clients; it features an Intel Atom N280 1.66GHz processor, 2GB DDR3 SDRAM, and the WES 2009 operating system.

Benefits of an HP Thin Client/Smart Card Solution

In addition to providing a greater level of data security, HP thin clients, when used with smart cards, can offer organizations higher productivity, efficiency, ease of use, and assists with meeting regulatory compliance. Using smart cards to authenticate users connecting to a remote desktop environment via HP thin clients is achievable and cost-effective, though implementation may sometimes be intricate, depending on your environment. The benefits, however, are inarguable: Strong authentication: Providing greater security, two or more factors are required for authentication. In a smart card system, the two factors are a smart card inserted into a card reader and Personal Identification Number (PIN) typed on an input device. Session mobility: Offering greater efficiency, session mobility allows users to move from station to station (from one thin client to another) and log back into the same user desktop environment and session. Single sign-on: Providing higher productivity and ease of use, only a single sign-on and authentication are required to gain access across the domain. Separate authentication for each domain entity is not required.

The goal of this paper is to incorporate all of these benefits into the HP thin client/smart card solution described later in this paper. Further, this paper lists the specific components required for an HP thin client/smart card solution. This paper does not discuss installation of the following infrastructure/services, but they are required for the thin client/smart card solution to work: Microsoft Active Directory Domain Controller (AD DC) environment Possible use of Group Policy Objects (GPO) to enable propagation of computer or user policies Microsoft Public Key Infrastructure (PKI) Designation and installation of a Certificate Authority Issuance of digital certificates

 Process for certificate revocation VMware or Citrix virtual desktop environment

Reference Infrastructure
Walk Before You Run
Building a reference infrastructure is the same as building a pilot, sandbox, or predeployment environment. Although the client-side part of a thin client/smart card solution is fairly simple, the backend infrastructure is not necessarily so. The complexities of a full-scale PKI solution integrated into a domain can be quite complex and could impact the organization considerably. Furthermore, the level of experience, time, and knowledge-level required to install, maintain, and troubleshoot this type of environment need to be thoroughly planned and understood. Along these lines, we strongly recommend testing and evaluating a reference infrastructure before deploying a full-scale PKI solution, assuming either that an infrastructure does not currently exist or that the objective is to first evaluate a smart card solution. The reference infrastructure should be a self-contained, experimental environment that includes a rudimentary, but fully operational, enterprise environment. We also recommended consulting the Gemalto documentation, Gemalto .NET 2.0 Smart CardCertificate Enrollment using Microsoft Certificate Services, to help understand installing the Microsoft Certificate Services within this solution. The following figure illustrates a simple model of the proposed referenced infrastructure:

Solution Components and Software

Three physical client-side components and two software applications are required for this smart card solution.

NOTE
Authentication and connection to a VMware View environment is possible with the View client version 3.0 installed in the HP t5740 Thin Client running the WES operating system. To obtain the benefit of single sign on, however, we recommend downloading and installing the View 4.0 client from the VMware View Web site. For the purposes of this paper, we are using the 4.0 version. The smart card reader prescribed here is a USB, contact type reader manufactured by Gemalto. This card reader is connected to one of the USB ports on the HP t5740 Thin Client; authentication is initiated when the smart card is inserted into the card reader.

Client-Side Components:
Smart card reader: Gemalto PC USBTR Card Reader o o P/N: HWP1 17685 Info: http://www.gemalto.com

Smart card: Gemalto .NET v2+ Smart Card o o o P/N: HWP1 15647C (white card) P/N: HWP1 15303B (orange card) Info: http://www.gemalto.com/products/dotnet_card/index.html

Thin client: HP t5740 thin client o http://h10010.www1.hp.com/wwpc/us/en/sm/WF25a/1245412454-321959-338927-3640406-3996155.html

Required Software:
Gemalto Card Reader Driver: Download from http://support.gemalto.com/?id=46

Version: 4.0.8 (as of the writing of the paper). Although not specifically stated, this driver will work with the HP t5740 Thin Client running the WES operating system. Microsoft: The Microsoft base smart card cryptographic service provider (Base CSP) download: http://www.microsoft.com/downloads/details.aspx?FamilyID=e8095fd5c7e5-4bee-9577-2ea6b45b41c6&displaylang=en

Recommended Software
VMware: Download the trial version of View 4 at their Web site: https://www.VMware.com/tryVMware/?p=view4&lp=1

Setup and Installation

Setting the Stage: Building the Infrastructure
Several stages and support documents are required to construct the reference infrastructure proposed in Reference Infrastructure. The following steps are a general guide to get the backend up and running. The next section, What to Install on the Thin Client and Remote Desktop, covers what to install on the thin client itself to support the smart card reader and the ability to authenticate properly, as well as what should be done on the remote desktop. The most important factor, however, in ensuring success is the precision of the backend server settings. Enough authoritative documentation exists on how to build each of these services, so we do not intend to rewrite or supersede those primary references. 1. Build the VMware environment complete with the necessary virtual machines (VMs). 2. Setup a stand-alone Certificate Authority on the domain controller VM. Use the Gemalto document Gemalto .NET 2.0 Smart CardCertificate Enrollment using Microsoft Certificate Services as a guide. 3. Issue a Smart Card User/Logon Certificate for one of the domain users. The certificate will be installed onto the users smart card. Use the Gemalto document Gemalto .NET 2.0 Smart CardCertificate Enrollment using Microsoft Certificate Services as a guide. 4. Set up the View Server for smart card authentication according to the following guide: View Manager 4.0.1Administration Guide

5. Change the Default display protocol from PCoIP to Microsoft RDP on the Desktop/Pool Settings page under Display Protocol.

NOTE
At the time of this paper, PCoIP does not support smart card authentication.

6. Consider setting the following Group Policies to enable disconnecting users upon removal of the smart card. These optional Group Policy settings can model the connection interaction between the remote desktop and local client: GPO: o o o o o o Computer Configuration Windows Settings Security Settings Local Policies Security Options Interactive logon: Smart card removal behavior

Policy: Select from the following settings: Security Setting: o o Lock Workstation Force Logoff or

Disconnect if a Remote Terminal Services Session. The following explanation is taken from the policy itself: If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a remote Terminal Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped terminal, without having to log on again. Default: No action specified.

What to Install on the Thin Client and Remote Desktop

This section describes the procedure for performing the following steps: Installing the required software onto the thin client Connecting the smart card reader to the thin client Installing the required software onto the remote desktop Joining them to the domain

1. Connect a keyboard, a mouse, and the power supply to the thin client. 2. Connect the thin client to the reference network. 3. After power-on, the thin client boots up into a generic user login. 4. After logging into the local user, log out and log back in as the local administrator. It is possible to log in as the local administrator from a reboot or power-on by pressing and holding the shift key just as the system initiates operating system services.

5. Log in as the local Administrator as follows: a. Log out while holding the shift key. Continue holding the shift key it until the following logon screen appears. b. Log in as the local administrator with the password Administrator (the password is case sensitive).

6. While logged on as the local administrator, perform the following steps, but do not reboot: a. Install the Microsoft Base CSP. b. Install the Gemalto smart card driver software. c. Plug in the card reader. o o Once the device is connected, open Device Manager and verify that the USB SmartCard Reader device is installed properly. If it is not installed properly, as shown below, you might have to find it by browsing to its related miniport driver, GemCCID.sys, and then install it manually.

When properly installed, the smart card reader device appears as follows:

d. Change the Computer Name. e. Join the computer to the domain.

10

f.

Before rebooting, commit the changes with the Enhanced Write Filter utility. o Right-click on the green lock icon in the system tray and selecting Commit EWF(C), as shown below.

NOTE
No changes are made to the thin client operating system until they are committed to the write filter. Local users are restricted from making changes to the operating system, as they have no permissions with the write filter utility.

7. On the remote desktop(s), perform the following: a. Install the Microsoft Base CSP. b. Install the card reader driver. c. Change the Computer Name. d. Join it to the domain. As involved as these steps may seem, they are all that is required to setup a card reader device onto the thin client. The main point to remember is that both the Microsoft Base CSP and the card reader driver need to be installed on both the thin client and to any remote desktops that will be connected. Also, both need to be joined to the domain after the standalone Certificate Authority is properly set up in the domain environment.

11

Confirming the Installation

So now, what does a smart card login look like? The following basic login flow should confirm that your installation is working: 1. Plug the smart card reader into the thin client unit. 2. Turn on the thin client. The thin client boots up into the typical Ctrl-Alt-Delete Windows login screen.

After several seconds, the smart card device is added to the login screen.

3. Insert the smart card into the reader. The login screen changes to the PIN authentication screen.

12

4. Type the appropriate PIN number in the field and press OK or Enter. The thin client logs into the users WES client desktop.

Known Issue 1
After entering in the PIN and during log-in, the actual desktop might take some time to appear or may appear to be stalled in the log-in state. This is in part because the Symantec Endpoint Protection Agent service is enabled. Type Ctrl-Alt-Delete to allow the log-in process to finish

Known Issue 2
In some cases, system security software and/or infrastructure may cause a delay during logon due to blocked ports. The range of potentially affected ports may not be consistent within each environment or domain. Depending on your client and network configuration, you may need to make exceptions and/or adjust firewall rules according to those specific ports, once they are identified. Additionally, you may disable the Symantec Firewall security software and services or bypass the protection as a temporary troubleshooting measure. 5. Click the View Client to log into the VMware View environment.

13

6. Select the remote desktop to log into from the View Manager log-in screen.

The smartcard PIN authentication passes through to the remote desktop, where logging in appears to be automatic. 7. When you are logged into the remote desktop, and if the interactive smart card Group Policies have been set, you can remove the smart card from the reader to force a disconnect from the remote desktop or session. The thin client desktop appears. Furthermore, Group Policies can be used to model the exact connectivity flow with the local client and remote desktop to include logging off of the local thin client as well--this presents one seamless smart-card interaction. After configuring the device that is works properly for your environment, it can be used to create a template for configuring any or all other HP t5740 thin clients to behave identically. HP Client Automation or HP Device Manager software provides the ability to distribute that configuration. For further information go to the following link for HPDM: http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/18964-189643644431-3646207-3763975-3646216.html?jumpid=reg_R1002_USEN Or for HPCA: https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn =bto&cp=1-1 1-271-272_4000_100__ This concludes the installation and implementation guide for using HP thin clients with a smart card solution. The following Resources section provides specific links to information and administrative guides to all the solution parts described in this paper.

14

Resources
HP
HP t5740 Thin ClientOverview and Features http://h10010.www1.hp.com/wwpc/us/en/sm/WF25a/12454-12454321959-338927-3640406-3996155.html HP t5745 Thin ClientOverview and Features http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/12454-12454321959-338927-3640406-3996169.html

Gemalto:
Gemalto .NET 2.0 Smart CardCertificate Enrollment using Microsoft Certificate Services http://www.gemalto.com/dwnld/5042_070520_WP_Gemalto_.NET_Certi ficate_Enrollment_using_MSFT_Certificate_Services.pdf This is an extremely valuable guide published by Gemalto. This very concise and well-organized document presents the best overall coverage, not only pertaining to Gemalto products, but also for the following: o o o o Using smart cards Installing Microsoft Certificate Services Issuing a user certificate onto a smart card Testing and managing smart cards

A central site for obtaining downloads, troubleshooting, and finding documentation: o http://support.gemalto.com Gemalto .NET card Utilities page: use this site for changing card PINs, verifying card details, and managing and resetting installed certificates. o o o o https://www.netsolutions.gemalto.com/utilities.aspx Location to download driver for CCID Includes tools for user-level card management Whitepapers for implementing Certificate Services http://www.gemalto.com/products/dotnet_card/index.html

VMware:
Smart Cards and Certificate Authentication in VMware View http://www.VMware.com/files/pdf/view_cert_authentication.pdf View Manager 4.0.1Administration Guide http://www.VMware.com/pdf/view401_admin_guide.pdf

15

 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are trademarks of Microsoft Corporation in the U.S. and other countries. Intel is a trademark of Intel Corporation in the U.S. and other countries. 633002-001, August 2010

16