Employee Experience

Setting up CAC or Smartcard for use with an HP Thin Client

Make sure to start
with a fresh and current image. As of this writing  that is 5.1.606 revA. Load the image and
confirm that the green lock in the systray comes up green after all the
rebooting. If you get a red "x" do it again. Now log in as
Administrator (log out while holding the left Shift key) with a password of
Administrator (capital A). Go to the Control Panel > Add/Remove programs and
remove any unnecessary programs. The objective here is to keep the image as
simple as possible. DO NOT REBOOT, until you have committed the changes to
flash by right clicking the green lock and choosing Commit. Or via a CMD window
with "ewfmgr c: -commit".


Once loaded and
everything that can be removed from Add/Remove Programs removed, review the
"List of Applicable QFE's". The link is generally on the same link
page as the image. Review the list to determine what QFE's might be needed in
your specific environment. For example if you are not using Internet Explorer
and replacing the shell with a View client it will be unlikely that the IE
QFE's will be applicable and needed in your environment as IE will not be used.


Start by downloading
the Add-on's that are needed from the QFE list to your workstation NOT the Thin
Client. Create a directory for these as you will be downloading many more
add-ons later. Remember, keep the image as simple as possible by removing as much
as possible.


Once that is done go
back to the main support page and look through the list for add-On's that say
"Remove" in them. These are the packages that will allow you to trim
down the image even more. If you are not going to use it, get the package to
remove it if you have not already done so via the Add/Remove list. This is also
a good time to grab the packages you will need to add, like the background
image utility or wireless support.


If you have an
Altiris deployment server then run them on the server and they should deploy
themselves in the proper directories to be deployed via Altiris. Do that and
then import the .bin files into the job list and deploy away.


 If you don't have Altiris then create a
directory that you can store and organize all the packages in.  Run the packages and point them to that
directory but for each one add a descriptor to the directory list. So for the
background image utility add background to the directory list so it will deploy
the files to "c:\altiris\background" for example.


After deploying the
packages we need one file and need to look at another. In the RIPs Folder will
be a .exe. This is the file we need to run on the Thin Client. The variables
needed are in a .bat file in the Scripts folder. In the .bat file will be a section
that says "set PackageOptions=" with a variable after. This is the
variable we will need to deploy the package manually. Also look for a commented
section that says":: Run the RIP with options" This is the actual
command to run the file. Verify what needs to be run there. In some cases more
than one .exe is run. This is where you would find out  what the other .exe is that needs to run
also. Now that you have the .exe's and the instructions to run them. Load up a
USB key, log into the Thin Client as Administrator and start running packages.
This will be time consuming as you should commit changes to the flash after
each package and reboot for each package.


Now that the image
is clean and trim it's time load the CAC drivers and middleware. Any CAC
readers that might attach to any of the thin clients that are deployed should
be loaded on the Thin Client.  Load those
based on the manufactures instructions. Now load the ActivIdentity client to
the Thin Client. Test the drivers and middleware  by inserting a CAC into a reader that has be
properly installed and verify that ActivIdentity is able to see the card and
the certificates on the card. Then verify that Internet Explorer is able to
view the certificates as well.


Now load the View
client. If your environment has multiple certificates on your CAC then you will
need to make the following change to the registry to allow the user to select
the correct certificate.


Inc.\VMware VDM\Client\Security\ShowCertificateSelectDialog


Create a REG_SZ
value and set to "true", a list of possible certificates will now be
displayed every time the Client connects to a View environment with CAC enabled
at the gateway.


If using the Sygate
firewall be sure to configure for the needed ports with View (80,443 and 3389
depending on your configuration). There is a policy editor Add-On package you
can download to assist with making the needed changes.


Next step would be
the optional shell replacement found here.