I need more details this issue.  I am  guessing you are using smart card redirection from Windows to Linux.  When you disconnect, are you signing out, or just disconnecting with the X?  You are then reconnecting with Remote Boost. This should take them to their lock screen.  

I would expect the lock screen to be able to unlock with the smart card, but don't know that for sure.  It could depend on how the system is configured.

It could depend on what is used to lock the screen and what PAM service is used to unlock.

Smart card redirection can be used with standard authentication and Easy Login, cannot be used with Single Sign On.  Did you review the smart card section in the user guide? Smart card starts at page 37 in the attached user guide.

The user will disconnect the X session.   when (s)he logs in the next time, (s)he gets both prompts. 

I have easy login and smartcard redirection turned on.   the initial session only authenticates via the desktop. [what we want]

the second session will prompt for user/passwd and then host authentication.   [we don't want the user/passwd prompt]

what does the PAM stack need to look like to avoid the ZCentral login and only use the system login?

Let me do a little testing on this.  From what I understand, if no one is signed in the sender, a receiver connects with Easy Login enabled, then the first step of authentication will be skipped, and you only need to present credentials at the desktop.  However, if a user disconnects, then I think you are prompted twice. 

" However, if a user disconnects, then I think you are prompted twice. "

is this a feature?  If so, it is not desired since we don't want users to authenticate without using the Multi-Factor Authentication of the Linux host.  We want RGS/ZCentral to ALWAYS pass to the Linux host for Authentication. 

@KellyRGS,  have you done your testing and what is the result?

-Eric