Create an account on the HP Community to personalize your profile and ask a question
09-19-2017 03:09 PM - edited 09-19-2017 03:10 PM
HP T620 - ThinPro 6.2.0 build 22 - T7X62022
I have established Active Directory logon capability. I am now trying to setup smart card login. My intent is to login to the T620 with smart card credentials (authenticated against an Active Directory user account), and pass those credentials to VMware Horizon for single sign-on.
The VMware single sign-on works perfectly when I use username/password. What I can't figure out is how to setup the smart card authentication. Is there some middleware (ActivClient, CoolKey, etc) that I am missing? What enables smart card login capability to the T620?
09-19-2017 08:47 PM
I found the following link, which talks about editing a logon style sheet which exposes the smart card button. I'll try it tomorrow and post results.
09-20-2017 06:39 AM
Update: I've managed to lock myself out of my T620 😕
The link, above, talks about editing a style sheet to "set" smartcard-enable to "true". When you do this, the logon window displays a checkbox with the caption "Smart card login". Not only does smartcard login not work, but it has also removed the capability to login as root. I can still login as a domain user, but my domain admins are no longer admins on the T620.
I'm starting to think that smart card login on these T620's is a pipe dream,...but I'll press on with the testing.
09-20-2017 07:57 AM
I am attempted to join the T620 to the Active Directory domain in hopes that being a member of the domain would magically unlock smart card logon mechanisms. After several hours of troubleshooting, I finally got the darn thing joined to the domain. Unfortunately, this had no affect on smart card logon.
I should have mentioned before, but all root and intermediate certificates are loaded on the T620.
If HP does in fact support smart card logon, they have gone out of their way to make that information impossible to find. There is no way a basic configuration should be this difficult.
09-20-2017 08:07 AM
The ThinPro 6.2 admin guide ( http://h10032.www1.hp.com/ctg/Manual/c05671485 ) shows a registry item for smartcard: root/domain/allowSmartcard
Unfortunately, there is a caption next to this setting which says: "This key is currently unused." So, does this mean that smartcard logon is not supported (even though Coolkey is pre-installed from HP)?
09-20-2017 08:34 AM
I found the T620 product spec sheet ( http://www8.hp.com/h20195/v2/getpdf.aspx/c04312126.pdf?ver=1 ). The PDF clearly states that smart cards are supported. I have tried both the HP USB CCID Smartcard Keyboard, and the SCM SCR331 USB Smart Card Reader.
09-21-2017 08:06 AM
Update: HP support told me that "they don't think smart card login is supported". I find this hard to believe considering that the interface has constructs in place to enable it.
With regard to Horizon View, I've performed some additional testing.
I configured a Web Browser connection and browsed to a smart card enabled website. Through the web browser connection, the smart card works perfectly! When I launch a VMware View connection, there is a system log generated which states:
C_Initialize failed: 0x2 (/usr/lib/vmware/view/pkcs11/libopencryptoki.so)
Could not open module /usr/lib/vmware/view/pkcs11/libPKCS11_API.so.so: /usr/lib/vmware/view/pkcs11/libPKCS11_API.so.so: cannot open shared object file: no such file or directory
C_GetTokenInfo(1) failed: 0xe0 (Gemalto .NET PKCS11)
Failed to create session for slot 1 (Gemalto .NET PKCS11)
One thing to note is that:
1) "libPKCS11_API.so.so" does not exist in /usr/lib/vmware/view/pkcs11/. However, "PKCS11_API.so" does exist.
2) I symlinked libPKCS11_API.so to /usr/lib/pkcs11/PKCS11_API.so, but this resulted in the same problem as documented above.
09-21-2017 09:47 AM
I neglected to setup the View Connection Server with a keystore file for trusted root certificates. So, I went ahead and enabled smart card authentication (as optional) in the View Connection server. From a Windows machine, with the VMware Horizon 7 client installed, I can successfully smart card (PIV certs) into a desktop. Additionally, I can smartcard authenticate to the web portals (user and admin).
When I try to do the same from the ThinPro (HP T620), I now get an error: "Error: a network error has occurred".
I'm going to reload the T620 with a fresh image (T7X62022). Whoever did quality control on the ThinPro OS should be fired, immediately.
09-21-2017 11:34 AM
I've reloaded the T620 with a fresh image (T7X62022), setup authentication to Active Directoy, and re-imported the root and intermediate CA's. At this point, Horizon prompts for the smartcard, but returns "an SSL error has occurred".
Let the troubloeshooting continue.