Citrix PIV/CAC credential passthrough

cbeauhilton · September 6, 2023, 6:03pm

Howdy!

I’ve been converting my main workstation over to NixOS (from Arch) over the past few months. One sticking point is Citrix. I work, in part, for the VA, and use their Citrix Workspace to access the electronic medical record system (this is the only way to access it off-campus).

Using a prior post here and the Arch Wiki, I was able to get Citrix installed, as well as the needed certs.

Login with PIV card (also called CAC) via the browser (I’ve tried Firefox, Chrome, Chromium) works just fine - it asks me for my pin, authenticates, and I can download the .ica file and launch the VM (without the card inserted, it fails to load the login page, which is the correct behavior).

However, within the Windows VM, doing most things requires secondary authentication, using the PIV card credentials. The Windows VM doesn’t seem to be detecting my card. I’m guessing it’s a passthrough problem, but not sure how to troubleshoot. It works fine on my Arch install, without any configuration beyond what the Arch wiki describes.

My config file is below:

    1 {
    2 │ pkgs,
    3 │ ...
    4 }: let
    5 │ # Certs have to be manually downloaded for now (I'm sure it could be scripted).
    6 │ # General site (no login required): https://public.cyber.mil/pki-pke/pkipke-document-library/
    7 │ # Search for "PKCS," pick the "DoD PKI Only" one.
    8 │ # Direct link to specific file as of 2023-09-01: https://dl.dod.cyber.mil/wp-
        » content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip
    9 │ # Unzip into 'va-certs' and rm the cruft, then import in this order:
   10 │ # (`der`, followed by `root_ca_*`, then `pem`).
   11 │ extraCerts = [
   12 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_der.p7b
   13 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_3_der.p7b
   14 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_4_der.p7b
   15 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_5_der.p7b
   16 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_dod_root_ca_6_der.p7b
   17 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_pem.p7b
   18 │ ];
   19 in {
   20 │ environment.systemPackages = [
   21 │ │ (pkgs.citrix_workspace.override {inherit extraCerts;})
   22 │ │ pkgs.ccid
   23 │ │ pkgs.opensc
   24 │ ];
   25 │ │
   26 │ services.pcscd.enable = true;
   27 │ security.pam.p11.enable = true;
   28 │ security.pki.certificateFiles = [
   29 │ │ ./va-certs/certificates_pkcs7_v5_12_dod_pem.p7b # only takes `pem` files
   30 │ ];
   31 }