I recently encountered an issue when configuring Citrix StoreFront 3.6 for Smartcard PIV/CAC logon. After authenticating at StoreFront, I’d receive an error “You cannot log on using a smartcard.”. Of course, there was little to no additional information in the event or IIS log files.
After ensuring all of the Smartcard root and intermediate certificates were installed on the client device, StoreFront server, Delivery Controller server, and in the proper AD authentication stores, I finally came across the fix.
On all of the StoreFront servers, you need to create the following registry settings:
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL]
“ClientAuthTrustMode”=dword:00000002
The source of this setting can be found here: https://support.citrix.com/article/CTX216330
This setting has fixed issues such as this for several customers and it seems to be occurring more and more.
Until next time, thanks for reading.
-Shane
shilllabs.com 
You simply saved my day! Thanks!
Thanks Mathieu, glad I could help!
Shane, Thank you for this post.. Im deploring PIV for a customer now and we are having some issues.. I have no visibility into the Citrix environment since Im just the NetScaler engineer…. I will take this to our Citrix admins and see if this could help our situation.
Richard, also make sure they are enabling verbose logging in StoreFront which may help find the issue. https://support.citrix.com/article/CTX139592
I savor, lead to I found just what I used too be having a look for.
You’ve ended my 4 day loing hunt! God Bless you man. Have a nice day.
Bye