Sun Ray Smart Card User Authentication

Similar Messages

• Java card user authentication

  Hi
  Im Using Gemalto TOP DL V2 Java card
  it supports java card 2.2.2 version.
  Will some one guide how to write program to authenticate..
  it support 3DES ,AES encryption
  how i can write user pin inside EEPROM( i hope pin.update )
  what is the use of Mother key they provided with Card?
  Details
  SID A000000003000000

  If you look at the JCDK samples, there is a PIN applet you can look at for user pin.
  What do you want to authenticate? Is it host to applet or host to card manager?
  Cheers,
  Shane

• UAG smart card authentication plus kcdauthentication true

  Hi
  I have already setup smart card certificate authentication to UAG portal. I'm using certificate's field Subject Alternative Name and RFC822 Name to read UPN information. It says 'RFC822
  Name=[email protected]'. That information i'm comparing to AD account's mail attribute. Authentication works ok.
  In Active Directory, samaccount is created from UPN's first part: firstname.lastname. So far i have been able to use kcdauthentication and create valid kerberos ticket which is acceptable for delegation.
  Customer changed their samaccoun to a different form. KCD does not work anymore. I've tried to use regkey:
  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KCDUseUPN,1. It does not work.
  I have no idea how to change from inc files that do not use samaccount but instead us UPN. UPN matches mail.
  Any ideas ?
  thanks in advance :)
  br -teemu

  Below Article might not give you direct answer.
  But, you may get an excellent idea on how to play around with INC files for your scenario.
  http://social.technet.microsoft.com/wiki/contents/articles/17031.how-to-get-client-certificate-authentication-working-on-a-uag-2010-portal.aspx
  Please let us know, how it goes. :)

• How to create a 802.1X Profile Using Smart Card Certificate

  My company has just implemented a new wireless network that requires users to use a USB Smart Card security device.
  This works fine for Windows, as the OS will allow the end user to configure more advanced authentication/authorization methods (802.1X, etc.) Unfortunately, OS X removed this functionality several versions back; 802.1X and advanced Wi-Fi configurations must now be handled by some sort of profile creation utility. Unfortunately, I've yet to find a utility (iPhone Configuration Utility, Apple Configurator) that will allow the creation of an 802.1X / Wireless Network Configuration that allows the use of a smart card for authentication. They all require that you actually upload the entire key-pair combo(?) in the form of a .p12 file. This is impossible with a smart card; by design you are not allowed to export the private key.
  I'm wondering if there is some way around this? Is it even an option? I know Mac OS will allow me to select "EAP-TLS" when configuring a new wireless network in System Preferences, then even allows me to select my certificate/identity from the Smart Card. Unfortunately, the network I'm trying to connect to doesn't support EAP-TLS/needs some additional configuration options/settings (EAP-TTLS for one).
  Any help/ideas would be greatly appreciated. Thanks!!

  Hello,
  exactly my topic I have been fighting now for months and already gave up.
  My setup is a Lion Server and a Lion WLAN client. My goal is to have the system profile 802.1x WLAN authentication up and running but I just don't get it working. First I tried to create a machine certificate (TLS) but this did not work. Then I tried the option to use Computer Object credentials (TTLS) (Open Directory Computer Object account credentials) to establish network connection before a user logs on but also this does't work.
  As said I'm using Lion Server with Open Directory and Lion Server Radius.
  Any help or guide appreciated!
  Robert

• How to configure Firefox to use cert from smart card reader on Sun Ray 3 Plus

  I have a Sun Ray 3 Plus configured so the user needs a smart card to login (CAC card) and bring up a Java Desktop on the Sun Ray Server (Solaris 10 SPARC).
  Now I am trying to get Firefox to read the certificate from the smart card reader but not sure how to go about doing that.
  From searching online, it seems like I have to load a module in Firefox:
  Edit -> Preferences -> Certificates -> Security Devices
  But what file do I load? I'm assuming it is a file that's part of the SUNWut package?

  I try to test bumblebee with:
  optirun glxgears
  but I get this error:
  Xlib: extension "GLX" missing on display ":8".
  Error: couldn't get an RGB, Double-buffered visual

• Smart Cards slow with Sun Ray Windows Connector

  I'm succesfully using smart cards to log on to Windows 2003. But the problem is that it's very slow!
  If i enter a wrong pin code, its fairly quick to respond with an error but when entering the right one it takes like 13-15 seconds to log on. The smart card slot on Sun Ray 2 is flashing all that time, so it seems like it's reading the certificate takes that long?
  Any ideas how to make it quicker?

  I have done the same setup with SunRay 170.
  Approx the same delay is experienced with my setup.
  When I meet my Card Vendor next time around I will ask about
  how many times the CERT is read.
  The Sunray 2 is faster , alot faster than sunray 170 so the delay
  must be the speed that card transactions can be performed.
  //lars

• Sun Ray 3/3P + 3rd party smart cards

  Does anyone know a particular brand of printable smart cards that will work with VDI/Sun Ray 3, thats not Oracle/Sun branded?
  Thanks
  Dave

  There is a list of compatible cards on Oracle's website
  http://www.oracle.com/technetwork/server-storage/sunrayproducts/docs/sunraysmartcards-485728.html
  Bjoern

• SUN One web server 6.1,strong authentication and smart card

  Hi guys,
  I am experiencing a weired issue with smart cards.
  scenario:
  SOWS 6.1 SP6, smart card Gem Plus and Internet explorer 6 and 7 as client and strong authentication.
  Once I put my smart card and insert the PIN code to get into the html page, when I tried to just move the mouse in a frame, I got lots of PIN request. I have notest the there are lots of SSLv3 sessions opened. When I put the PIN code after a while and again when I move the mouse quickly I got the same request
  I tried with Firefox and the it works fine.
  Anyone experienced a sort of same issue? any clue? Could it be that Firefox store the PIN code somewhere and IE doesn't?
  Cheers

  Hi,
  Yes, Firefox and other mozilla products by default only require the pin for tokens the first time they are needed. In Seamonkey, the preference is in edit/preference/privacy & security/master passwords/master password timeout/web browser will ask for your master password . There is an equivalent in Firefox, but since i don't use it, I don't know the exact location of that pref.
  The fact that you are being prompted multiple times in IE means that there are multiple SSL handshakes happening. This may be because the server is forcing a new SSL handshake on each HTTP request. . There may be a way for the web server to be configured not to do that by setting client auth globally on the listen socket instead of setting it on a specific URL space.

• Sun Ray - How to get external USB Card Reader working

  Dear All,
  i have the following problem. Maybe someone could help me or give me a clue to solve it.
  SunRay Software 5 installed
  Window 2003 R2 TerminalServer
  Here my question:
  I use a kiosk session with a smart card to conncet to the windows server - works perfect.
  Login Screen and go.
  Now i have to have to authenticate myself with an external usb card reader and smart
  card (connected to the sun ray) to use a certain application on my win2003 server.
  Via the windows rdp session (from the laptops) everthing is ok. The information from
  the card reader is transferred to the server.
  If i use the Sun Ray nothing happens. So here is my problem:
  How do get the authentication information from the smart card to the server?
  Thanks in advance
  Best regards
  Hans-Peter

  Basically, reinstall the Boot Camp video drivers manually and if that doesn't work then go to the AMD/Radeon website and install the Windows drivers directly for your video card model.
  If you want to do a search you will find others that have pretty good luck doing it either way.

• Verify user pin on a smart card & load a cap file on a card (with eclipse)

  I have been able install JCWDE (Java card development Kit) successfully on eclipse.Basically all I need to do is verify user pin on a smart card.As in first set a pin and then verify it.
  To begin with I have referred many tutorials (here: http://www.javaworld.com/jw-07-1999/jw-07-javacard.html?page=1) and implemented the wallet code in eclipse.I have the cap file generated and the scripts generated.I am not sure how to load it on the smart card with eclipse.
  I tried to deploy the cap file but it keeps saying connected.Also when we initiate the applet I get the same result.
  output:
  Java Card 2.2.2 APDU Tool, Version 1.3
  Copyright 2005 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.
  Opening connection to localhost on port 9032.
  Connected.
  I have also tried : http://www.cs.ru.nl/E.Poll/hw/practical.html ........ but no luck.
  I have the wallet.cap ,wallet.exp ,wallet.jca ,wallet.opt create.script, select,cap-download.scripts files already generated in eclipse.
  How does a successfully implemented applet code on a smart card work?How does this wallet code work if it is successfully implemented ? Does it have like some GUI which prompts the user to enter the pin?
  Wallet code for reference :
  package com.sun.javacard.samples.wallet;
  import javacard.framework.*;
  public class Wallet extends Applet {
  /* constants declaration */
  // code of CLA byte in the command APDU header
  final static byte Wallet_CLA =(byte)0x80;
  // codes of INS byte in the command APDU header
  final static byte VERIFY = (byte) 0x20;
  final static byte CREDIT = (byte) 0x30;
  final static byte DEBIT = (byte) 0x40;
  final static byte GET_BALANCE = (byte) 0x50;
  // maximum balance
  final static short MAX_BALANCE = 0x7FFF;
  // maximum transaction amount
  final static byte MAX_TRANSACTION_AMOUNT = 127;
  // maximum number of incorrect tries before the
  // PIN is blockedd
  final static byte PIN_TRY_LIMIT =(byte)0x03;
  // maximum size PIN
  final static byte MAX_PIN_SIZE =(byte)0x08;
  // signal that the PIN verification failed
  final static short SW_VERIFICATION_FAILED =
  0x6300;
  // signal the the PIN validation is required
  // for a credit or a debit transaction
  final static short SW_PIN_VERIFICATION_REQUIRED =
  0x6301;
  // signal invalid transaction amount
  // amount > MAX_TRANSACTION_AMOUNT or amount < 0
  final static short SW_INVALID_TRANSACTION_AMOUNT = 0x6A83;
  // signal that the balance exceed the maximum
  final static short SW_EXCEED_MAXIMUM_BALANCE = 0x6A84;
  // signal the the balance becomes negative
  final static short SW_NEGATIVE_BALANCE = 0x6A85;
  /* instance variables declaration */
  OwnerPIN pin;
  short balance;
  private Wallet (byte[] bArray,short bOffset,byte bLength) {
  // It is good programming practice to allocate
  // all the memory that an applet needs during
  // its lifetime inside the constructor
  pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
  byte iLen = bArray[bOffset]; // aid length
  bOffset = (short) (bOffset+iLen+1);
  byte cLen = bArray[bOffset]; // info length
  bOffset = (short) (bOffset+cLen+1);
  byte aLen = bArray[bOffset]; // applet data length
  // The installation parameters contain the PIN
  // initialization value
  pin.update(bArray, (short)(bOffset+1), aLen);
  register();
  } // end of the constructor
  public static void install(byte[] bArray, short bOffset, byte bLength) {
  // create a Wallet applet instance
  new Wallet(bArray, bOffset, bLength);
  } // end of install method
  public boolean select() {
  // The applet declines to be selected
  // if the pin is blocked.
  if ( pin.getTriesRemaining() == 0 )
  return false;
  return true;
  }// end of select method
  public void deselect() {
  // reset the pin value
  pin.reset();
  public void process(APDU apdu) {
  // APDU object carries a byte array (buffer) to
  // transfer incoming and outgoing APDU header
  // and data bytes between card and CAD
  // At this point, only the first header bytes
  // [CLA, INS, P1, P2, P3] are available in
  // the APDU buffer.
  // The interface javacard.framework.ISO7816
  // declares constants to denote the offset of
  // these bytes in the APDU buffer
  byte[] buffer = apdu.getBuffer();
  // check SELECT APDU command
  if (apdu.isISOInterindustryCLA()) {
  if (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4)) {
  return;
  } else {
  ISOException.throwIt (ISO7816.SW_CLA_NOT_SUPPORTED);
  // verify the reset of commands have the
  // correct CLA byte, which specifies the
  // command structure
  if (buffer[ISO7816.OFFSET_CLA] != Wallet_CLA)
  ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
  switch (buffer[ISO7816.OFFSET_INS]) {
  case GET_BALANCE:
  getBalance(apdu);
  return;
  case DEBIT:
  debit(apdu);
  return;
  case CREDIT:
  credit(apdu);
  return;
  case VERIFY:
  verify(apdu);
  return;
  default:
  ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  } // end of process method
  private void credit(APDU apdu) {
  // access authentication
  if ( ! pin.isValidated() )
  ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
  byte[] buffer = apdu.getBuffer();
  // Lc byte denotes the number of bytes in the
  // data field of the command APDU
  byte numBytes = buffer[ISO7816.OFFSET_LC];
  // indicate that this APDU has incoming data
  // and receive data starting from the offset
  // ISO7816.OFFSET_CDATA following the 5 header
  // bytes.
  byte byteRead =
  (byte)(apdu.setIncomingAndReceive());
  // it is an error if the number of data bytes
  // read does not match the number in Lc byte
  if ( ( numBytes != 1 ) || (byteRead != 1) )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  // get the credit amount
  byte creditAmount = buffer[ISO7816.OFFSET_CDATA];
  // check the credit amount
  if ( ( creditAmount > MAX_TRANSACTION_AMOUNT)
  || ( creditAmount < 0 ) )
  ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
  // check the new balance
  if ( (short)( balance + creditAmount) > MAX_BALANCE )
  ISOException.throwIt(SW_EXCEED_MAXIMUM_BALANCE);
  // credit the amount
  balance = (short)(balance + creditAmount);
  } // end of deposit method
  private void debit(APDU apdu) {
  // access authentication
  if ( ! pin.isValidated() )
  ISOException.throwIt(SW_PIN_VERIFICATION_REQUIRED);
  byte[] buffer = apdu.getBuffer();
  byte numBytes =
  (byte)(buffer[ISO7816.OFFSET_LC]);
  byte byteRead =
  (byte)(apdu.setIncomingAndReceive());
  if ( ( numBytes != 1 ) || (byteRead != 1) )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  // get debit amount
  byte debitAmount = buffer[ISO7816.OFFSET_CDATA];
  // check debit amount
  if ( ( debitAmount > MAX_TRANSACTION_AMOUNT)
  || ( debitAmount < 0 ) )
  ISOException.throwIt(SW_INVALID_TRANSACTION_AMOUNT);
  // check the new balance
  if ( (short)( balance - debitAmount ) < (short)0 )
  ISOException.throwIt(SW_NEGATIVE_BALANCE);
  balance = (short) (balance - debitAmount);
  } // end of debit method
  private void getBalance(APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  // inform system that the applet has finished
  // processing the command and the system should
  // now prepare to construct a response APDU
  // which contains data field
  short le = apdu.setOutgoing();
  if ( le < 2 )
  ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
  //informs the CAD the actual number of bytes
  //returned
  apdu.setOutgoingLength((byte)2);
  // move the balance data into the APDU buffer
  // starting at the offset 0
  buffer[0] = (byte)(balance >> 8);
  buffer[1] = (byte)(balance & 0xFF);
  // send the 2-byte balance at the offset
  // 0 in the apdu buffer
  apdu.sendBytes((short)0, (short)2);
  } // end of getBalance method
  private void verify(APDU apdu) {
  byte[] buffer = apdu.getBuffer();
  // retrieve the PIN data for validation.
  byte byteRead = (byte)(apdu.setIncomingAndReceive());
  // check pin
  // the PIN data is read into the APDU buffer
  // at the offset ISO7816.OFFSET_CDATA
  // the PIN data length = byteRead
  if ( pin.check(buffer, ISO7816.OFFSET_CDATA,
  byteRead) == false )
  ISOException.throwIt(SW_VERIFICATION_FAILED);
  } // end of validate method
  } // end of class Wallet
  Any help on this would highly appreciated !! :)

  Hi,
  Thanks a lot for reply.But I am not sure as to how can I delete the simulator.
  All I want to do is write a pin on the smart card and verify it.But I am not being able to deploy the cap file or initiate the applet.
  Also for passing the pin correct me if I am wrong........ according to what you said and what I have understood
  If the code is like this :
  public static void install(byte[] bArray, short bOffset, byte bLength) {
  // create a Wallet applet instance
  new Wallet(bArray, bOffset, bLength);
  } // end of install method
  byte aLen = bArray[bOffset]; // applet data length
  // The installation parameters contain the PIN
  // initialization value
  pin.update(bArray, (short)(bOffset+1), aLen);
  Lets say my pin is : 1234
  then I would pass it here.....
  new Wallet(bArray, 1234, bLength);

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Support for smart-card authentication in PowerBuilder based application

  Hi, I have an application on PB11.5 with an Oracle DB back-end (11.2g). My DoD customer wants the application to use their DoD CAC Card (Smart Card) to authenticate against the Enterprise - Windows Active Directory domain, currently the application uses user-id\password for user authentication.  Is this something newer versions of PB can support and implement? Thank you.

  You have a couple of choices:
  1.  Depending on how old their workstations are, or if they have ACTIVCLIENT installed, you could call the CAPICOMM ActiveX using OLE commands
  2.  A solution that doesn't require that ActiveX is to use the Smart Card SDK built into newer versions of Windows.  It does require a lot lower level coding though, as you have to issue specific APDU commands to the card and know how to handle the responses.
  I posted a sample of the latter to the NNTP groups back in 2011.  I suppose I should get around to creating a blog entry explaining how to use it.

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]