cancel
Showing results for 
Search instead for 
Did you mean: 
3DVDI
Level 1
10 9 0 0
Message 1 of 10
1,375
Flag Post

T620 - AD / Smart Card Login

HP Recommended
T620
Other

HP T620 - ThinPro 6.2.0 build 22 - T7X62022

 

I have established Active Directory logon capability.  I am now trying to setup smart card login.  My intent is to login to the T620 with smart card credentials (authenticated against an Active Directory user account), and pass those credentials to VMware Horizon for single sign-on.

 

The VMware single sign-on works perfectly when I use username/password.  What I can't figure out is how to setup the smart card authentication.  Is there some middleware (ActivClient, CoolKey, etc) that I am missing?  What enables smart card login capability to the T620?

 

Thanks

Tags (2)
9 REPLIES 9
3DVDI
Author
Level 1
10 9 0 0
Message 2 of 10
Flag Post
HP Recommended

I found the following link, which talks about editing a logon style sheet which exposes the smart card button.  I'll try it tomorrow and post results.

 

ftp://ftp.hp.com/pub/tcdebian/documentation/whitepapers/WP_ThinPro_Login-Screen-Customization_903900...

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 3 of 10
Flag Post
HP Recommended

Update:  I've managed to lock myself out of my T620 😕

 

ftp://ftp.hp.com/pub/tcdebian/documentation/whitepapers/WP_ThinPro_Login-Screen-Customization_903900...

 

The link, above, talks about editing a style sheet to "set" smartcard-enable to "true".  When you do this, the logon window displays a checkbox with the caption "Smart card login".  Not only does smartcard login not work, but it has also removed the capability to login as root.  I can still login as a domain user, but my domain admins are no longer admins on the T620.

 

I'm starting to think that smart card login on these T620's is a pipe dream,...but I'll press on with the testing.

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 4 of 10
Flag Post
HP Recommended

Update:

 

I am attempted to join the T620 to the Active Directory domain in hopes that being a member of the domain would magically unlock smart card logon mechanisms.  After several hours of troubleshooting, I finally got the darn thing joined to the domain.  Unfortunately, this had no affect on smart card logon.

 

I should have mentioned before, but all root and intermediate certificates are loaded on the T620.

 

If HP does in fact support smart card logon, they have gone out of their way to make that information impossible to find.  There is no way a basic configuration should be this difficult.

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 5 of 10
Flag Post
HP Recommended

Update:

 

The ThinPro 6.2 admin guide ( http://h10032.www1.hp.com/ctg/Manual/c05671485 ) shows a registry item for smartcard:  root/domain/allowSmartcard

 

Unfortunately, there is a caption next to this setting which says: "This key is currently unused."  So, does this mean that smartcard logon is not supported (even though Coolkey is pre-installed from HP)?

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 6 of 10
Flag Post
HP Recommended

Update:

 

I found the T620 product spec sheet ( http://www8.hp.com/h20195/v2/getpdf.aspx/c04312126.pdf?ver=1 ).  The PDF clearly states that smart cards are supported.  I have tried both the HP USB CCID Smartcard Keyboard, and the SCM SCR331 USB Smart Card Reader.

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 7 of 10
Flag Post
HP Recommended

Update: 

 

I created a support ticket with HP.

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 8 of 10
Flag Post
HP Recommended

Update: HP support told me that "they don't think smart card login is supported".  I find this hard to believe considering that the interface has constructs in place to enable it.

 

 

With regard to Horizon View, I've performed some additional testing.

 

I configured a Web Browser connection and browsed to a smart card enabled website. Through the web browser connection, the smart card works perfectly!  When I launch a VMware View connection, there is a system log generated which states:

 

"
C_Initialize failed: 0x2 (/usr/lib/vmware/view/pkcs11/libopencryptoki.so)
Could not open module /usr/lib/vmware/view/pkcs11/libPKCS11_API.so.so: /usr/lib/vmware/view/pkcs11/libPKCS11_API.so.so: cannot open shared object file: no such file or directory
C_GetTokenInfo(1) failed: 0xe0 (Gemalto .NET PKCS11)
Failed to create session for slot 1 (Gemalto .NET PKCS11)
"

One thing to note is that:
1) "libPKCS11_API.so.so" does not exist in /usr/lib/vmware/view/pkcs11/. However, "PKCS11_API.so" does exist.
2) I symlinked libPKCS11_API.so to /usr/lib/pkcs11/PKCS11_API.so, but this resulted in the same problem as documented above.

 

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 9 of 10
Flag Post
HP Recommended

Update:

 

I neglected to setup the View Connection Server with a keystore file for trusted root certificates.  So, I went ahead and enabled smart card authentication (as optional) in the View Connection server.  From a Windows machine, with the VMware Horizon 7 client installed, I can successfully smart card (PIV certs) into a desktop.  Additionally, I can smartcard authenticate to the web portals (user and admin).

 

When I try to do the same from the ThinPro (HP T620), I now get an error: "Error: a network error has occurred".

 

I'm going to reload the T620 with a fresh image (T7X62022).  Whoever did quality control on the ThinPro OS should be fired, immediately.

Was this reply helpful? Yes No
3DVDI
Author
Level 1
10 9 0 0
Message 10 of 10
Flag Post
HP Recommended

Update:

 

I've reloaded the T620 with a fresh image (T7X62022), setup authentication to Active Directoy, and re-imported the root and intermediate CA's.  At this point, Horizon prompts for the smartcard, but returns "an SSL error has occurred".

 

Let the troubloeshooting continue.

Was this reply helpful? Yes No
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation