I recently encountered an issue when configuring Citrix StoreFront 3.6 for Smartcard PIV/CAC logon. After authenticating at StoreFront, I’d receive an error “You cannot log on using a smartcard.”. Of course, there was little to no additional information in the event or IIS log files.
After ensuring all of the Smartcard root and intermediate certificates were installed on the client device, StoreFront server, Delivery Controller server, and in the proper AD authentication stores, I finally came across the fix.
On all of the StoreFront servers, you need to create the following registry settings:
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL]
The source of this setting can be found here: https://support.citrix.com/article/CTX216330
This setting has fixed issues such as this for several customers and it seems to be occurring more and more.
Until next time, thanks for reading.