Government, healthcare and financial organizations are heavily evaluating virtual desktops, and due to the nature of these industries, one of the big requirements is for secure authentication via smart cards. Frankly, when XenDesktop first came out, it didn't have the goods in the smart card + VDI department, but no one else did, either. There was no integration to speak of, from either Citrix or VMware, and this meant these industries could only deploy VDI in limited use cases.

Citrix quickly addressed this in product updates, and the newly released Feature Pack 1 for XenDesktop 3 includes even more functionality. VMware has been kinda quiet on the smart card integration front - so I was curious, how are the two products faring in head-to-head evaluations in customer accounts? So I went and polled several of our SEs, some partners and some customers and learned a few interesting tidbits in some key categories:

-          Seamless integration of authentication: With XenDesktop, you get the typical black "carbon fiber" log in screen on boot-up, then you insert the Smart Card and are prompted to enter your PIN. Just like a normal desktop. We've heard reports that for some reason View is requiring PIN entries for the broker, then the desktop - and for every desktop subsequently. Seems complicated for end users.

-          Active Directory object clean up: With XenDesktop, when virtual desktops are opened and closed, the AD objects are created and removed cleanly. We've seen customers struggle with how View creates the objects for each virtual desktop, but then fails to clean them up and leaves them orphaned. So in a typical enterprise, this can result in thousands of AD objects being created every day and clogging up the works.

-          Coffee breaks: If a user leaves for a coffee break and takes their card with them (as proper policy would mandate), the desktop should lock. When the user returns and enters the PIN, it should unlock with the and return the user to their desktop as they left it. XenDesktop handles this, but it seems that customers have reported View "loses" the Smart Card when it is withdrawn during a session. Re-inserting the card does nothing, and the desktop has to be fully shut down and the user has to start from square one to get back into the desktop.

-          Multi-card reader roaming: A lot of organizations don't have identical readers at each endpoint, but the user needs the same desktop. Feature Pack 1 adds the ability to roam between different devices even when different readers are attached.

-          Endpoint device support: With Feature Pack 1, XenDesktop offers both Windows and Linux endpoint support for Smart Card readers. At this time, View's ability to support Smart Cards (with the above integration challenges) is limited to Windows endpoints.

Obviously, with these considerations taken into account, XenDesktop is winning these bake-offs. But I don't think it's just about smart card integration. It's a fundamental understanding of the virtual desktop experience that is burned into the Citrix DNA - the smart card functionality is just a manifestation of that know-how.

I spent some time recently chatting with Ross Duncan, VP of Channels at Gemalto, due to my role as product manager for Citrix Password Manager.While Citrix remains "strong authentication agnostic", Ross raised some great points: - Passwords are bad - I don't think anyone will argue this point!  There have been many solutions to enforce management of passwords to mitigate the inherent weakness.  Then those "solutions" that make passwords more complex can cause user convenience problems - plus bad behavior such as passwords written down, using the same password for many applications, and so on.  Then the help desk calls are both extensive and expensive.  - eSSO means putting all the keys to the kingdom in one place.  This allows IT to use hyper-secure passwords (20+ characters, special characters, etc.) that change rapidly.  However, the end user now has only ONE password to know - therefore there is a case to augment it with a strong authentication device like Gemalto smart cards. - Coupling of eSSO and smart cards brings the ultimate in convenience with maximum security - the user inserts their card, enters their PIN, and they can securely access the system.  This is much easier then entering user name/password - easier and more secure. - Vendors like Gemalto are integrated with Citrix Password Manager, smooth roaming/Hot Desktop, XenApp and CAG, which is convenient for customers.
We also discussed the merits of converging logical and physical security.  This always looks great on powerpoints, but it has been a real slow starter in real life.  It's been discussed for 8 years that I personally know about, but the actual implementations are lagging.  It always struck me this way: the physical security personnel and the IT security personnel are usually in different areas within and organization, and there are numerous political barriers to having the two groups work together and contribute budgets to make a badge/technology/management decision together.  I know Gemalto has partnerships to do this, but it seems to me to face obstacles.  Would like to hear comments!