Citrix Workspace and CAC: Virtual Desktop Access for DoD
Many DoD organizations use Citrix Workspace to provide virtual desktop access. Your CAC authenticates you to the Citrix environment, but getting smart card passthrough working correctly requires specific configuration. This guide covers common Citrix CAC issues and their solutions.
Understanding Citrix CAC Authentication
Citrix virtual desktop authentication with CAC works in two phases:
Phase 1 – Portal Authentication: You authenticate to the Citrix StoreFront or Workspace web portal using your CAC. This proves your identity to access the Citrix environment.
Phase 2 – Session Smart Card Passthrough: Once connected to a virtual desktop, your CAC must be “passed through” to the virtual session so applications within Citrix can use it. This is similar to RDP smart card passthrough.
Failures can occur at either phase, producing different symptoms.
Phase 1 Issues: Can’t Access Citrix Portal
If you can’t authenticate to the Citrix web portal at all:
Certificate chain problems: Your local computer needs DoD root and intermediate certificates installed. Run InstallRoot on your physical computer (not in a virtual session).
Browser compatibility: Some Citrix StoreFront configurations work better with specific browsers. If one browser fails, try Internet Explorer, Edge, or Firefox.
Citrix Workspace app requirements: Many DoD Citrix deployments require the Citrix Workspace app installed locally. Download from Citrix or your organization’s software distribution.
Certificate selection: When prompted to select a certificate, choose your DoD email certificate (not your PIV authentication or signature certificate). The correct certificate typically shows your email address.
Phase 2 Issues: Smart Card Passthrough Fails
You can access Citrix portal but CAC doesn’t work inside virtual sessions:
Citrix Workspace Settings:
Open Citrix Workspace app preferences. Navigate to the Connections or Security section. Ensure “Smart Card” or “Use local smart card” option is enabled. The exact setting name varies by Workspace app version.
Virtual Channel Configuration:
Citrix smart card support uses virtual channels. If these are blocked by your organization’s Citrix policy or your local firewall, passthrough fails. Contact your Citrix administrator if you suspect policy restrictions.
Local Smart Card Service:
The Smart Card service must be running on your local machine (not just the virtual session). Open services.msc and verify “Smart Card” service is running and set to Automatic.
Installing Certificates in Virtual Sessions
Even with working passthrough, the virtual desktop needs DoD certificates too. Your first connection to a new virtual desktop may require:
1. Running InstallRoot inside the virtual session
2. Configuring browser certificate stores within the session
3. Importing certificates to the virtual desktop’s certificate stores
If your organization uses non-persistent virtual desktops that reset between sessions, you may need to install certificates each time. Ask your IT department if certificates can be pre-installed in the desktop image.
Reader Compatibility Considerations
Some CAC reader models work better with Citrix than others. The SCR3310 and ACR39U typically work well. Older or unusual readers may have driver issues that affect Citrix passthrough even when they work locally.
If passthrough fails with one reader, test with a known-compatible reader before extensive troubleshooting.
Citrix Receiver vs. Workspace App
Citrix Receiver is the legacy client; Citrix Workspace is the current version. DoD Citrix environments may support one or both. Smart card configuration differs slightly between them.
If you’re having issues with one client, try the other. Some organizations mandate specific client versions—check with your help desk before installing.
Browser-Based vs. Native Citrix Sessions
Citrix can launch sessions in-browser (HTML5 mode) or via the native Workspace app. Smart card passthrough is generally more reliable with the native app. If browser sessions fail, try:
1. Install Citrix Workspace app
2. In the Citrix portal, click account settings or preferences
3. Select “Citrix Workspace app” instead of “Use light version” or “Use browser”
4. Launch sessions again
Connection Quality Issues
Citrix smart card passthrough is sensitive to network latency. On high-latency connections:
- PIN prompts may timeout before you can respond
- Certificate selection dialogs may freeze
- Authentication may fail intermittently
If you experience these issues on slow connections, there may be little you can do beyond improving your network quality. Hard-wired connections are more reliable than WiFi for Citrix CAC sessions.
Troubleshooting Checklist
When Citrix CAC access fails, work through this checklist:
- CAC works on local applications (test outside Citrix first)
- DoD certificates installed on local machine
- Smart Card service running locally
- Citrix Workspace app installed and current
- Smart card option enabled in Workspace app settings
- Correct certificate selected at portal login
- Native app mode selected (not browser/HTML5)
- DoD certificates installed in virtual desktop
If all these items check out and you still have issues, escalate to your Citrix administrator. The problem may be policy-level configuration that only they can address.
Citrix CAC authentication requires coordination between your local system, the Citrix infrastructure, and the virtual desktop. When it works, it’s seamless. When it doesn’t, methodically checking each component usually reveals the problem.
Leave a Reply