Subscribe RSS Feed | Follow on Twitter

Setting up CAC or Smartcard for use with an HP Thin Client

without comments

Make sure to start with a fresh and current image. As of this writing that is 5.1.606 revA. Load the image and confirm that the green lock in the systray comes up green after all the rebooting. If you get a red “x” do it again.

Now log in as Administrator (log out while holding the left Shift key) with a password of Administrator (capital A). Go to the Control Panel > Add/Remove programs and remove any unnecessary programs. The objective here is to keep the image as simple as possible. DO NOT REBOOT, until you have committed the changes to flash by right clicking the green lock and choosing Commit. Or via a CMD window with “ewfmgr c: -commit”.

Once loaded and everything that can be removed from Add/Remove Programs removed, review the “List of Applicable QFE’s”. The link is generally on the same link page as the image. Review the list to determine what QFE’s might be needed in your specific environment. For example if you are not using Internet Explorer and replacing the shell with a View client it will be unlikely that the IE QFE’s will be applicable and needed in your environment as IE will not be used.

Start by downloading the Add-on’s that are needed from the QFE list to your workstation NOT the Thin Client. Create a directory for these as you will be downloading many more add-ons later. Remember, keep the image as simple as possible by removing as much as possible.

Once that is done go back to the main support page and look through the list for add-On’s that say “Remove” in them. These are the packages that will allow you to trim down the image even more. If you are not going to use it, get the package to remove it if you have not already done so via the Add/Remove list. This is also a good time to grab the packages you will need to add, like the background image utility or wireless support.

If you have an Altiris deployment server then run them on the server and they should deploy themselves in the proper directories to be deployed via Altiris. Do that and then import the .bin files into the job list and deploy away.

If you don’t have Altiris then create a directory that you can store and organize all the packages in. Run the packages and point them to that directory but for each one add a descriptor to the directory list. So for the background image utility add background to the directory list so it will deploy the files to “c:\altiris\background” for example.

After deploying the packages we need one file and need to look at another. In the RIPs Folder will be a .exe. This is the file we need to run on the Thin Client. The variables needed are in a .bat file in the Scripts folder. In the .bat file will be a section that says “set PackageOptions=” with a variable after. This is the variable we will need to deploy the package manually. Also look for a commented section that says”:: Run the RIP with options” This is the actual command to run the file. Verify what needs to be run there. In some cases more than one .exe is run. This is where you would find out what the other .exe is that needs to run also. Now that you have the .exe’s and the instructions to run them. Load up a USB key, log into the Thin Client as Administrator and start running packages. This will be time consuming as you should commit changes to the flash after each package and reboot for each package.

Now that the image is clean and trim it’s time load the CAC drivers and middleware. Any CAC readers that might attach to any of the thin clients that are deployed should be loaded on the Thin Client. Load those based on the manufactures instructions. Now load the ActivIdentity client to the Thin Client. Test the drivers and middleware by inserting a CAC into a reader that has be properly installed and verify that ActivIdentity is able to see the card and the certificates on the card. Then verify that Internet Explorer is able to view the certificates as well.

Now load the View client. If your environment has multiple certificates on your CAC then you will need to make the following change to the registry to allow the user to select the correct certificate.

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Client\Security\ShowCertificateSelectDialog

Create a REG_SZ value and set to “true”, a list of possible certificates will now be displayed every time the Client connects to a View environment with CAC enabled at the gateway.

If using the Sygate firewall be sure to configure for the needed ports with View (80,443 and 3389 depending on your configuration). There is a policy editor Add-On package you can download to assist with making the needed changes.

Next step would be the optional shell replacement found here.

http://blogs.vmware.com/view/2009/02/vmware-view-client-as-a-shell-for-xpe-and-xp-pro-clients.html

Similar Posts:

Written by Jason Marshall

May 20th, 2009 at 9:41 pm