The US Department of Defense, smart cards are required for many networks. The security they offer as a layer of "defense in depth" can not be overstated. In concept they should replace usernames and passwords. In reality, they are a complex mechanism, which can sometimes cause any headache or two.
I have run recently a scenario that seems dark, but it is probably much more common than reported. This is especially true in the US federal space where PIV cards are likely to be in the light of OPM injury, and in the DoD space where CAC for each application on unclassified systems is compulsory under mandatory.
The problem arises when these are true the following:
- of users a XenApp uses Internet Explorer 8 released or higher or the user on a virtual desktop with IE 8 or higher
- Internet Explorer is on enhanced protected mode (EPM), use
- the user tries to access a web site that prompts for the smart card credentials, but after a presented certificate, reports Internet Explorer "Internet Explorer can not display the web page". The user does not often enter their PIN number.
- The same page works well and the authentication is successful, if EPM is off.
The good news is that the solution is relatively simple to implement, as long as you have administrative rights on the XenApp or XenDesktop Farm.
If you are XenDesktop / XenApp 7.x, you only have these registry entries, depending on whether you X64 or X86.
On 32-bit Windows: HKEY_LOCAL_MACHINE SOFTWARE Citrix SmartCard Name: SupLowIntegrityProc Type: REG_DWORD Data: 1 On 64-bit Windows: SOFTWARE HKEY_LOCAL_MACHINE WOW6432Node Citrix SmartCard name: SupLowIntegrityProc type: REG_DWORD data: 1
If you are on XenApp 6.5, you need to be higher to hotfix rollup Pack 2 or. You should really look at is 6 HFRP, as it contains many good features and stability improvements throughout. If you are on XenDesktop 5.6, you have support and need to update immediately. What you really need to do is be sure that you are on VDA 5.6.0 or higher and preferably 5.6.500 for X86 or X64 for 5.6.500. In these cases, when you get to the correct versions, nor should the registry settings apply above.
These updates help ensure that you can be running Internet Explorer in protected mode, and not your security must change attitude for a website compatibility. This saves the user from websites put in Trusted or Intranet zones and off EPM for these zones.
This is just a tip on smart card configurations we see in the federal government. For even more comprehensive advice, you should see what Joe North in his blog together to discuss PIV and configuration instructions. If you have other stories about the things you tweaked with smartcards, please answer. We hope that all of these tips to gather in a common guide someday.
0 Komentar