Jump to content
Welcome to our new Citrix community!

Problem using Smart Card Authentication on Storefront

Recommended Posts

Hi there,


We are trying to test Smartcard authentication for internal Customers.


I try to set it up from the CTX Articel:



The mean Problem is when i browse to the Storefront site i get the Message:

"Logon with smartcard is not possible"


I think the mean Problem when i browse to the test site:


i can't choose a Certificate, i got direct to "403 - Forbidden"


I still check the iis settings but can't find something.


When we use the SmartCard and Certificate Authentication on the Netscaler i still get the promt do choose the Certificate and have to enter the Pin from the Smartcard.


Are there any special Requierements for special Smartcards? Or how i can figure out where is the problem.


Would be great if someone can give me a hint.





Link to comment
Share on other sites

Hi Nils:


Are you using the Server 2012 as the StoreFront Server, there is a known issue with IIS 8.0 https://support.microsoft.com/en-us/help/2802568/internet-information-services-iis-8-may-reject-client-certificate-requ, please try workaround in the web link and additionally add a reg key to storefront server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "ClientAuthTrustMode"=dword:00000002

And then restarted IIS.


Hope it helps.


Jack Tu :)

Link to comment
Share on other sites

  • 2 weeks later...

Hi Jack,


thanks for the hints. Yes we are using 2012 R2 Server.

I try the workaround and set the Reg Key. After that i restart the IIS but the Problem still exists.





Have you checked the last part of this link? This fixed the issue for me.


To use CSP PIN prompts

By default, the PIN prompts presented to users are provided by Citrix Receiver for Windows rather than the smart card Cryptographic Service Provider (CSP). Citrix Receiver for Windows prompts users to enter a PIN when required and then passes the PIN to the smart card CSP. If your site or smart card has more stringent security requirements, such as to disallow caching the PIN per-process or per-session, you can configure Citrix Receiver for Windows to instead use the CSP components to manage the PIN entry, including the prompt for a PIN.

Change how PIN entry is handled by using either of the following methods:

  • On the Citrix Receiver for Windows command line, specify the option AM_SMARTCARDPINENTRY=CSP.
  • Add the following key value to the registry key HKLM\Software\[Wow6432Node\]Citrix\AuthManager: SmartCardPINEntry=CSP.



Link to comment
Share on other sites

  • 1 year later...


This topic is now archived and is closed to further replies.

  • Create New...