The smart cards nightmare with Citrix Xendesktop / Virtual Apps and Desktops

Everyone that use Citrix XenDesktop know the great problem of using it with usb devices to digitally  sign documents.

For this reasons, after the latest “ nightmare” with the last one USB key, the CNS, I’ve decided to write down a simple guide to help people like me with this problems.

This is my last key that I  setup up under Xen Desktop and my environment  was an  Citrix Virtual Apps and Desktops formerly known as xendesktop 7.15 cu3 with Wyse 3040 windows embedded and Windows 7 Ent with PVD.

The smart cards nightmare with Citrix Xendesktop / Virtual Apps and Desktops

First, we have to enable the USB redirection policy under “Studio’s policy”.

The smart cards nightmare with Citrix Xendesktop / Virtual Apps and Desktops

And then, we need to enable the class 08 (Mass storage) and 0b (Smart card) see this guide CTX137939

smart cards Citrix Xendesktop Virtual Apps and Desktops

At this point, just to do a test, we need to change local DeviceRules  in the the device where we’ve installed the Citrix WorkSpace (Formerly know as Citrix Receiver).

this is the key : HKLM\Software\WOW6432Node\Citrix|ICA Client\GenericUSB 

smart cards Citrix Xendesktop Virtual Apps and Desktops

Normally this is the “DeviceRules” setting :

Normally this is the “DeviceRules” setting :


 # Syntax is an ordered list of case insensitive rules where # is line comment
 #  and each rule is (ALLOW | DENY) : ( match )*
 #  and each match is (class|subclass|prot|vid|pid|rel) = hexnumber

DENY: vid=17e9 # All DisplayLink USB displays
DENY: class=02 # Communications and CDC-Control
DENY: class=09 # Hub devices
DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover
DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover
DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover
DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover
DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover
DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover
DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader
DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover
DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer
ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
DENY: class=03 subclass=01 prot=02 # HID Boot mice
DENY: class=0a # CDC-Data
DENY: class=0b # Smartcard
DENY: class=e0 # Wireless controller
DENY: class=ef subclass=04 # Miscellaneous network devices
ALLOW: # Otherwise allow everything else


And we need to change to :

 # Syntax is an ordered list of case insensitive rules where # is line comment
 #  and each rule is (ALLOW | DENY) : ( match )*
 #  and each match is (class|subclass|prot|vid|pid|rel) = hexnumber
 
DENY: vid=17e9 # All DisplayLink USB displays
DENY: class=02 # Communications and CDC-Control
DENY: class=09 # Hub devices
DENY:vid=045e pid=079A # Microsoft Surface Pro 1 Touch Cover
DENY:vid=045e pid=079c # Microsoft Surface Pro 1 Type Cover
DENY:vid=045e pid=07dc # Microsoft Surface Pro 3 Type Cover
DENY:vid=045e pid=07dd # Microsoft Surface Pro JP 3 Type Cover
DENY:vid=045e pid=07de # Microsoft Surface Pro 3_2 Type Cover
DENY:vid=045e pid=07e2 # Microsoft Surface Pro 3 Type Cover
DENY:vid=045e pid=07e4 # Microsoft Surface Pro 4 Type Cover with fingerprint reader
DENY:vid=045e pid=07e8 # Microsoft Surface Pro 4_2 Type Cover
DENY:vid=03eb pid=8209 # Surface Pro Atmel maXTouch Digitizer
ALLOW:vid=056a pid=0315 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=0314 class=03 # Wacom Intuos tablet
ALLOW:vid=056a pid=00fb class=03 # Wacom DTU tablet
DENY: class=03 subclass=01 prot=01 # HID Boot keyboards
DENY: class=03 subclass=01 prot=02 # HID Boot mice
DENY: class=0a # CDC-Data
#DENY: class=0b # Smartcard <=========== !!!!!!!!!!!
DENY: class=e0 # Wireless controller
DENY: class=ef subclass=04 # Miscellaneous network devices
ALLOW: # Otherwise allow everything else

Just for help, we can use the USBDeview to find the VendorID,ProductID and USB Class

This is before intert the usb key 


Then, after inserted …


At this point, we need to modify the master image or, the users sessione (if it’s a static desk or has the PVD feature).

Delete this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook

smart cards Citrix Xendesktop Virtual Apps and Desktops

and also this:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\citrix\CtxHook\AppInit_Dlls\

smart cards Citrix Xendesktop Virtual Apps and Desktops

Restart the terminal and connect  to it again..

smart cards Citrix Xendesktop Virtual Apps and Desktops

Connect your USB key and switch it to generic.

smart cards Citrix Xendesktop Virtual Apps and Desktops
smart cards Citrix Xendesktop Virtual Apps and Desktops
smart cards Citrix Xendesktop Virtual Apps and Desktops

Now you can launch your key !

smart cards Citrix Xendesktop Virtual Apps and Desktops

That’s it!

Leave a Reply

Your email address will not be published. Required fields are marked *