Fast Smartcard is Here!
Fast Smartcard (Smartcard v3)
Part of the XenApp & XenDesktop 7.18 release is a redesign of the smartcard virtual channel using what we learned from implementing the Federated Authentication Service (FAS).
The goal of v3 (version 3) is to provide a superior user experience to smartcard users accessing an environment over the WAN. To understand how that happens I first need to break down how smart cards have traditionally been handled.
How traditional smart card access works
Both the v1 and v2 implementations of smartcard talk to the card directly at the PC/SC level (Personal Computer/Smart Card). PC/SC sits below the cryptographic layer containing middleware and is very chatty. With the old paradigm of physical machines at one’s desk, this was perfectly fine and did not impact the user experience much, if any. Moving to virtual applications and desktops over the LAN, the impact of using PC/SC was still small, as most LANs have very low latency. The problems start to surface as you move to the WAN.
The problem of latency
With the varying quality of WAN connections, users start to see more and more delays due to the chatty nature of PC/SC. Say a request to get a certificate from a smartcard requires 100 PC/SC API calls at the end user device. Run those calls over a link with 100ms of latency and it will take 200ms to get the responses. Those 100 calls add 20,000ms, or 20 seconds, of delay when obtaining that certificate. Most cards have multiple certificates so imagine how quickly this adds up when enumerating the certificates on the smartcard is required.
Smart card v1 and v2
Smart card v1 handled these calls sequentially regardless of their dependency on each other. The release of smart card v2 improved logon times by processing some calls in parallel, but did not really help in-session performance. As long as all interactions with the smart card are done at the PC/SC level, WAN users will continue to get delays based on the quality of the connection. Enter smart card v3, which we like to call Fast Smartcard!
Fast Smartcard to the rescue!
Fast Smartcard obtains its improved performance by expanding on the virtual smartcard feature created for FAS. The majority of operations are now processed at the cryptographic level on the end user device, reserving PC/SC calls for things such as enumerating smartcard readers and detecting inserted cards. Let us go back to the example of requesting a certificate. With smart card v3 a request for the certificate can be made to the cryptographic layer on the end user device, letting it handle the chatty requests to retrieve the certificate.
This brings an improvement throughout the session for operations such as the following:
- Logon to the VDA
- Selecting a certificate to log onto a website
- Authenticating with a certificate to Exchange via Outlook
- S/MIME operations
- Digital signing of documents and more
Reducing the number of calls
As explained above, moving up to the crypto level of the stack helps drastically reduce the number of calls to the smart card. This is a metric you can find in our HDX Monitor tool. When looking at the smart card section, go to the WMI tab and look for the number of executed SCard calls.
Launching HDX monitor immediate after the user session started showed the number of calls dropped to 147 from 454 by enabling smart card v3. This is about a one third drop, which will really make a difference as latency increases. For example, below are some times taken to digitally sign a document with various amounts of connection latency.
What are the limitations?
Being that smartcard v3 is part of the 7.18 release, you of course need the 7.18 VDA and matching Receiver. However, there are some limitations to this initial release.
• Windows VDA 7.18; running on Windows Server 2012R2, Windows Server 2016, or Windows 10
• Windows Server 2019 expected to work but testing is on going
• Windows Receiver 4.12
• Smart card v3 cannot be used to double hop into RDP with smart card authentication
• HDX monitor does not at this time report that v3 is in use (use certutil within session to see “CitrixCard#1”)
I would like to call out that the release does support multiple readers and does support an ICA double-hop. Check our documentation for more information on enabling Fast Smartcard.