Jump to content
Welcome to our new Citrix community!
  • 0

Smart card logon issue



I am not sure if this should be in the Storefront forum or in the CVAD forum so I will enter this in both.
We have a customer in the health care business that uses smart cards for logon to their Citrix environment. The smart cards they use contain more than one certificate for authentication to their internal environment and to external partners. The customer is having issues with failed logins after launching their published desktop. Some users are getting an error  message "Your credentials could not be verified" when the session on the VDA is established.

We have been able to see that what happens when this occurrs is that the VDA is trying to sign on the user with the wrong certificate. At log on to the Storefront portal the users gets to choose what certificate to log on with and then they type their PIN and they are logged on to Storefront. During a normal launch of applications/desktops from the portal the logged on users credentials are passed on seamlessly to the VDA but sometimes this fails here and the VDA uses the wrong certificate. The problem is the same if the user is connecting from a PC or from a Dell Wyse thin client. The environment is CVAD and Storefront 2203 LTSR CU1 and the VDAs are Windows Server 2019.

We have mostly seen this with new users but this week there were a couple of new users that could log on without any issues for a couple of days and then suddenly they got the problem. This morning there was a user that has been working there for a long time and never had any issues before but suddenly got the problem today. After testing a few times it worked again on the fourth attempt. There is a workaround for the users to be able to log on even if they get this error but it involves several extra steps for them during the logon to the VDA which should be SSO from Storefront.They need to click 3-4 times to acknowledge the error and select the correct certificate in the Windows log on process and then enter their PIN code one more time.


We would of course want to make sure that only the correct certificate is used so that the users are always logged on automatically. Is there any way to force that only the correct certificate for the local domain is forwarded from Storefront or to force the VDA to only select the correct certificate when authenticating?

Link to comment

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...