Smart Card Pass-through

Kasm Workspaces supports passing through smart card devices directly into RDP-based Kasm sessions. This feature enables users to use their physical smart cards within Windows applications and systems, supporting various use cases such as PIN-based authentication, digital signing, and certificate-based operations.

Note

Smart card pass-through is available using the web native client when accessing Kasm Workspaces from a ChromeOS host or through the RDP local client.

Configuration

Windows Target Environments

Prepare the environment by installing the manufacturer provided drivers, middleware, and certificates for the smart card readers and smart cards that will be used.

For Web Native Client on ChromeOS

To enable this feature:

Install the Google Smart Card Connector App from the Chrome Web Store.
Install the DriveLock Smart Card Middleware (CSSI) from the Chrome Web Store
Install the Kasm Workspaces Smart Card Extension from the Chrome Web Store.
Ensure the allow_kasm_rdp_smart_card_passthrough Group Setting is set to true prior to launching the session.
Launch an RDP-based Kasm session through web native client on a ChromeOS device.
The smart card should now be automatically detected and passed through to the RDP session.

For RDP Local Client

Ensure you are using a supported client for smart card redirection. Clients that Kasm Technologies has tested are the following: Microsoft RDP client on windows (mstsc.exe), Microsoft RDP client for MacOS, Windows App for MacOS, and XtraLogic client for ChromeOS.
Ensure the allow_kasm_rdp_smart_card_passthrough Group Setting is set to true prior to launching the session.
Launch an RDP-based Kasm session through RDP local client using one of the above supported clients.
The smart card should now be automatically detected and passed through to the RDP session.

Technical Details

For Web Native Client

This feature works by extending the guacamole protocol to enable smart card passthrough capabilities. The implementation leverages the Remote Desktop Protocol’s smart card channel to securely transmit smart card operations between the client and the remote Windows system. While the implementation is PC/SC (Personal Computer/Smart Card) compliant, the available functions are limited to the functionality provided by the ChromeOS Smart Card Connector App. Any application attempting to use a PC/SC function unsupported on ChromeOS will receive an S_CARD_E_UNSUPPORTED error code as per PC/SC standard.

Due to the nature of smart card passthrough, cache related functionality (which is normally part of the Windows platform) had to be emulated. For security reasons, the corresponding PC/SC functions (SCardReadCache and SCardWriteCache) are implemented in the Chrome extension rather than on the server side. This approach ensures that sensitive cached smart card data remains local to the user’s browser.

For RDP Local Client

This feature is implemented via the RDP client’s implementation of the feature and may have limitations based on that specific implementation.

Troubleshooting For Web Native Client

If you encounter issues with smart card passthrough:

Ensure your smart card reader is properly connected
Ensure the allow_kasm_rdp_smart_card_passhtrough group setting is enabled
Ensure the Google Smart Card Connector App Chrome extension is enabled
Ensure the DriveLock Smart Card Middleware (CSSI) Chrome extension is enabled
Ensure the Kasm Workspaces Smart Card Extension Chrome extension is enabled
Ensure that any drivers, middleware, or certificates that are required by the smartcard and smartcard reader manufacturers are installed on the system.
If the smart card appears to be in an unresponsive state, try removing and reinserting the card

If you’re still experiencing issues, these additional troubleshooting tools are available:

Client-side Troubleshooting:

Check chrome://extensions and inspect the Kasm Workspaces Smart Card Extension service worker for detailed logs about client-side smart card operations.

Server-side Troubleshooting:

Check the kasm_guac container logs for smartcard related messages
Look for a Registering smartcard container log message to confirm smartcard support was enabled for the session

Diagnostic Tools:

Open Command Prompt or PowerShell in the Windows session
Run certutil -scinfo to get detailed information about connected smart card readers and cards. This tool can help identify if Windows properly recognizes the smart card hardware.

For certificate-enabled smartcards:

Verify the certificate has been recognized:
- Press Win + R, type certmgr.msc, and press Enter.
- In the left pane, expand Personal → Certificates.
- Look for a certificate issued by your smartcard’s Certificate Authority.
In case of a missing client certificate, verify the presence of necessary configuration entries in the Windows registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards for your smartcard. Missing entries can prevent proper smartcard certificate propagation, affecting smartcard functionality.

Troubleshooting For RDP Local Client

Ensure your smart card reader is properly connected
Ensure the allow_kasm_rdp_smart_card_passhtrough group setting is enabled
Ensure that any drivers, middleware, or certificates that are required by the smartcard and smartcard reader manufacturers are installed on the system.
If the smart card appears to be in an unresponsive state, try removing and reinserting the card

If you’re still experiencing issues:

Check the documentation and troubleshooting guides for the RDP client.

Diagnostic Tools:

Open Command Prompt or PowerShell in the Windows session
Run certutil -scinfo to get detailed information about connected smart card readers and cards. This tool can help identify if Windows properly recognizes the smart card hardware.