VMware Horizon + Smart Card / CAC Login

Overview

This test case validates the zTC’s ability to support high-security authentication using smart cards (including Common Access Cards, or CACs). This is a critical requirement for government, defense, healthcare, and financial sector customers who rely on two-factor authentication (a physical token and a PIN) for access to sensitive data.

The test ensures that a USB smart card reader is correctly redirected into the VMware Horizon session and that the authentication process is stable and reliable for both logging in and in-session activities.

zTC/zMAN Configuration

These steps configure zMAN and the local zTC device to create the VMware Horizon connection and explicitly allow the smart card device class.

Part A: zMAN Director Configuration

1. Create a VMware Profile:
   • Log into the zMAN Director UI.
   • Navigate to Device Settings -> Profiles.
   • Click the ADD PROFILE button.
   • In the “Add Profile” window, enter a descriptive Name (e.g., Secure_Horizon_VDI).
   • Select VMware from the Protocol dropdown menu.
   • Enter the Host or IP of your VMware Horizon Connection Server.
   • Click ADD to save the profile.
2. Apply Profile to zTC Device:
   • Navigate to Device Management -> zTC Clients and click the LIST tab.
   • Find and select your target zTC device(s).
   • Apply the Secure_Horizon_VDI profile to the selected device(s). Monitor the task for successful completion.

Part B: Local zTC Configuration (Critical Step)

This step ensures the SnapOS operating system is configured to allow smart card readers.

1. Navigate to USB Configuration:
   • On the zTC device, go to the Start menu -> Preference -> Settings.
   • From the left pane of the Settings window, click on USB Configuration.
2. Enable Smart Card Device Class:
   • In the “USB Configuration” screen, locate the USB Device Class section.
   • Find the toggle switch labeled Smart Card and ensure it is enabled (in the “Allow” position).
   • Click the Apply button at the bottom of the window to save the changes.

3rd Party Setup (VMware Horizon & PKI Environment)

1. Configure Public Key Infrastructure (PKI): An enterprise Certificate Authority (CA), typically a Microsoft CA, must be running to issue certificates to users.
2. Provision Smart Cards: User certificates must be generated and loaded onto physical smart cards or CACs. Each card will have a corresponding user PIN.
3. Configure Horizon Connection Server:
   • Install the root and intermediate certificates from your CA into the server’s trust store.
   • In Horizon Administrator, edit the Connection Server settings and enable “Smart card authentication for users.”
4. Configure Active Directory: Ensure user accounts are correctly mapped to the certificates issued on the smart cards (e.g., via the User Principal Name).
5. Publish Desktop Pool: Assign the test user to a virtual desktop pool.

Execution

1. Connect Hardware: Plug a compatible USB smart card reader into a USB port on the zTC device.
2. Insert Smart Card: Insert the provisioned smart card/CAC into the reader.
3. Launch Horizon Client: Power on the zTC. On the SnapOS desktop, double-click the VMware Horizon Client icon. The client should already be configured with the server address from the zMAN profile.
4. Authenticate with PIN: The Horizon Client should automatically detect the smart card. Instead of a username and password prompt, it should display the user’s certificate and ask for a PIN.
5. Enter PIN: Type the correct PIN for the smart card and press Enter.
6. Launch Session: Upon successful authentication, the list of available desktop pools will appear. Double-click a pool to launch the virtual desktop session.
7. Test In-Session Removal Policy:
   • Once the Windows desktop is fully loaded, lock the session (Windows Key + L).
   • Physically remove the smart card from the reader. The expected behavior (defined by your security policy) is that the Horizon session will immediately disconnect.
   • Re-insert the smart card into the reader.
   • You should be prompted to enter your PIN again to reconnect to and unlock your session.
8. Log Out: Close all applications and properly log out of the VMware Horizon session and the virtual desktop.

Verification

• Authentication (Pass/Fail):
  • PASS: The Horizon Client correctly prompts for a PIN and successfully authenticates using the smart card. It does not prompt for a username or password.
  • FAIL: The client fails to detect the smart card, prompts for a username/password, or the PIN authentication fails.
• Session Launch (Pass/Fail):
  • PASS: The virtual desktop session launches without errors after successful PIN authentication.
  • FAIL: The session fails to connect or crashes after authentication.
• Redirection (Pass/Fail):
  • PASS: The smart card is usable by applications inside the VDI session (e.g., for email signing or authenticating to secure websites).
  • FAIL: Applications inside the VDI cannot detect the presence of the smart card reader or certificate.
• Removal Policy (Pass/Fail):
  • PASS: Removing the smart card from the reader causes the session to disconnect as configured. Re-inserting the card and entering the PIN successfully reconnects and unlocks the session.
  • FAIL: The session remains active after the card is removed, or the user is unable to reconnect after re-inserting it.