Disabling PIN based logins to Citrix
By ThinGuy on Feb 12, 2007
Sure, most people want to know how to do smart card based logins to windows. However, some people don't want the hassle.
Recently we had a customer that wanted to access a smart card from a Solaris perspective, but did not want to do so from Windows.
That presents a problem since the customer uses Citrix and the ICA client detects the presence of the library libpcsclite that is loaded as part of SUNWsrcbp (Sun Ray PCSC SRCOM Bypass).
With this package loaded (required to do the Solaris smart card stuff) the Citrix client would automatically redirect the smart card channel. Normally that's a "good thing". In this case it's not.
This will result in one of two things happening:
1) User gets prompted for a PIN at the Windows login screen. They then have to click cancel to get to the username/password entry. Annoying at best.
2) User gets a message that the required drivers are not supplied on the Server. Really annoying and probably will result in a lot of help desk calls. This would happen if you used Payflex cards or any other smart card that is not supported by default under Windows.
Brad and I started bouncing around ideas in our normal one-upmanship tone via email.
First thought, remove the reg key for Citrix smart card hooks. I like it, Brad doesn't. He's right though, what if they want to use smart cards from other clients. They don't but hey, I'll give the whipper-snapper a point there. What he could have said that would have "slam dunked" me with was to not require changes to the Windows Servers to support Sun Ray. I wouldn't have had a comeback for that. He'll learn. :)
Brad thinks moving the library and fooling the ICAClient is good idea, I don't. I'm thinking about support implications (Sir you are missing libraries X,Y,and Z). Score one for me for actually thinking about support implications. For those of you that don't know me, that's a huge step. Kind of like an alcoholic admitting they have a problem.
Fortunately the answer was right in front of us the whole time. Since Citrix is fairly modular, we can turn off the smart card channel in a config file.
Solution: Edit /usr/lib/ICAClient/config/module.ini. Under the [ICA 3.0] section change SmartCard=On to SmartCard=Off.