Citrix Workspace CAC Setup – Accessing DoD Virtual Desktops

in Remote Access 4 min read

Today, I will share it all with you.

Many DoD organizations use Citrix Workspace to provide virtual desktop access. Your CAC authenticates you to the Citrix environment, but getting smart card passthrough working correctly requires specific configuration that nobody explains clearly.

How Citrix CAC Authentication Actually Works

Citrix virtual desktop authentication happens in two distinct phases, and failures at each produce different symptoms:

Phase 1 – Portal Authentication: You authenticate to the Citrix StoreFront or Workspace web portal using your CAC. This proves your identity to access the Citrix environment. If this fails, you can’t get in at all.

Phase 2 – Session Smart Card Passthrough: Once connected to a virtual desktop, your CAC must be “passed through” to the virtual session so applications within Citrix can use it. If this fails, you’re in Citrix but your CAC doesn’t work for anything inside the session.

Knowing which phase is failing saves hours of troubleshooting.

Phase 1 Problems: Can’t Access the Portal

If you can’t authenticate to the Citrix web portal at all:

Certificate chain issues: Your local computer (the physical one you’re sitting at) needs DoD root and intermediate certificates installed. Run InstallRoot on your physical computer — not in a virtual session.

Browser incompatibility: Some Citrix StoreFront configurations work better with specific browsers. If one browser fails, try Internet Explorer, Edge, or Firefox. Yes, sometimes IE still works when nothing else does.

Missing Workspace app: Many DoD Citrix deployments require the Citrix Workspace app installed locally. Download from Citrix or your organization’s software distribution.

Wrong certificate selection: When prompted to select a certificate, choose your DoD email certificate (not your PIV authentication or signature certificate). The correct certificate typically shows your email address.

Phase 2 Problems: Passthrough Fails

Navigate to the Connections or Security section. Ensure “Smart Card” or “Use local smart card” option is enabled. The exact setting name varies by Workspace app version.

Virtual Channel Configuration: Citrix smart card support uses virtual channels. If these are blocked by your organization’s Citrix policy or your local firewall, passthrough fails silently. Contact your Citrix administrator if you suspect policy restrictions.

Local Smart Card Service: The Smart Card service must be running on your local machine (not just the virtual session). Open services.msc and verify “Smart Card” service is running and set to Automatic.

Certificate Installation Inside Virtual Sessions

Even with working passthrough, the virtual desktop needs DoD certificates too. Your first connection to a new virtual desktop may require:

  1. Running InstallRoot inside the virtual session
  2. Configuring browser certificate stores within the session
  3. Importing certificates to the virtual desktop’s certificate stores

If your organization uses non-persistent virtual desktops that reset between sessions, you may need to install certificates each time. Ask your IT department if certificates can be pre-installed in the desktop image — this should be standard but often isn’t.

Reader Compatibility

Most standard CAC readers work fine with Citrix, but some combination of reader, driver, and Citrix version occasionally causes problems. If passthrough works on one computer but not another with the same Citrix setup, the reader or driver is your likely culprit.

Try a different reader or update the reader driver on the problematic machine.

macOS and Linux Citrix Users

Non-Windows Citrix clients support smart card passthrough, but configuration differs. macOS users need to install the Citrix Workspace app from Citrix (not the App Store version, which has limitations). Ensure your local smart card middleware is working before troubleshooting Citrix-specific issues.

Linux users face additional complexity with pkcs11 library configuration. The Citrix Workspace for Linux documentation covers smart card setup, but expect more troubleshooting than Windows or macOS.

When All Else Fails

If you’ve verified both phases, installed certificates everywhere, and passthrough still fails:

  • Clear the Citrix Workspace app cache and re-authenticate
  • Reboot your local machine (clears various smart card caches)
  • Try a different CAC reader
  • Check with your organization’s Citrix administrators for known issues or policy changes
  • Verify your CAC works outside of Citrix (MilConnect, other CAC-enabled sites)

Citrix CAC authentication has a lot of moving parts, but once configured correctly, it works reliably. Most issues stem from missing certificates on one end or the other, or Workspace app settings that need adjustment.

Mike Thompson

Mike Thompson

Author & Expert

Mike Thompson is a former DoD IT specialist with 15 years of experience supporting military networks and CAC authentication systems. He holds CompTIA Security+ and CISSP certifications and now helps service members and government employees solve their CAC reader and certificate problems.

68 Articles
View All Posts

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Get the latest updates delivered to your inbox.