CAPI SmartCard is not recognized in Citrix / RDP Terminalserver Scenario

[WG-DL]

We are trying to use PuttyCAC together with a Yubikey Certificate (CAPI) on a Jumphost. However when entering the username associated with the Certificate the SmartCard prompt appears showing "Connect a smart card". The SmartCard is connected and works as normal in RDP Sessions.

How can this be fixed?

[NoMoreFood]

This is usually an environment configuration issue. Many, many people do this everyday. When you run certutil -scinfo from command line, do all the prompts perform as normal or do you see that same behavior?

[WG-DL]

When I execute certutil -scinfo from the same session I get all outputs just as I get them locally (CMD Output and Certlist at the end).

[NoMoreFood]

Are you able to select the CAPI certificate from the PuTTY CAPI selection dialog? Is it just signing?

[WG-DL]

Yes, I am able to select the CAPI Certificate from the CAPI selection dialog. Thats how I added it to the Pageant Key list. Certificate Purpose is Client Authentication and SmartCard Logon.

[NoMoreFood]

We use Citrix in this exact same way but don't seem to have this problem for some reason. Is there any way you could provide a way for me to reproduce it within your environment (e.g., test tenant)?

[fecorreiabr]

I'am facing the same issue in a Citrix environment. Putty won't show the signing application (Safenet here).
I noticed that CertPropSvc service is not running, would this be the responsible for the issue? Is this service mandatory for putty? I can use the smartcard in website applications normally.

[NoMoreFood]

@fecorreiabr Can you provide me the output of certutil -scinfo -silent and email it to me? Or post it here? I'm wondering if this is caused by the new Citrix VDA where they override the default Microsoft CSP to accelerate cryptographic operations. If so, I can probably adjust PuTTY CAC to make it work.

[NoMoreFood]

Thank you for the email with certutil output. Can you confirm whether or not you have the issue when you directly RDPing to the exact same system (vice using Citrix) if that's an option? Also what version of the Citrix client and server software are in use? I just tried with 2402 LTSR and did not have any problems. Also make sure you're using a 64-bit version of PuTTY CAC if running on a 64-bit OS.

[fecorreiabr]

Thank you for the email with certutil output. Can you confirm whether or not you have the issue when you directly RDPing to the exact same system (vice using Citrix) if that's an option? Also what version of the Citrix client and server software are in use? I just tried with 2402 LTSR and did not have any problems. Also make sure you're using a 64-bit version of PuTTY CAC if running on a 64-bit OS.

We figured out the problem. Our Citrix provider was doing SSL/SSH inspection in network packets, similar to the behavior described here and here. After disabling it with an exception rule for our IP, the connection using the smartcard worked as expected.