Citrix StoreFront and Smartcard Troubles

I recently encountered an issue when configuring Citrix StoreFront 3.6 for Smartcard PIV/CAC logon. After authenticating at StoreFront, I’d receive an error “You cannot log on using a smartcard.”. Of course, there was little to no additional information in the event or IIS log files.

storefront-smartcard-error

After ensuring all of the Smartcard root and intermediate certificates were installed on the client device, StoreFront server, Delivery Controller server, and in the proper AD authentication stores, I finally came across the fix.

On all of the StoreFront servers, you need to create the following registry settings:

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL]

“ClientAuthTrustMode”=dword:00000002

The source of this setting can be found here: https://support.citrix.com/article/CTX216330

This setting has fixed issues such as this for several customers and it seems to be occurring more and more.

Until next time, thanks for reading.

-Shane

 

4 thoughts on “Citrix StoreFront and Smartcard Troubles

  1. Shane, Thank you for this post.. Im deploring PIV for a customer now and we are having some issues.. I have no visibility into the Citrix environment since Im just the NetScaler engineer…. I will take this to our Citrix admins and see if this could help our situation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s