Marine Corps cyberspace operations center
Posted in CAC Guides Military Evaluations Support

VMware and VirtualBox CAC Passthrough: Virtual Machine Setup

John Bigley

Getting CAC to Work in Virtual Machines

Running DoD applications in a virtual machine sounds convenient until you realize your CAC doesn’t work. VMware Workstation, VirtualBox, and other hypervisors don’t automatically pass USB devices to guest operating systems—you need explicit configuration for smart card passthrough.

This guide walks through CAC setup for the two most common virtualization platforms used by DoD contractors and teleworkers: VMware Workstation/Player and Oracle VirtualBox.

VMware Workstation CAC Passthrough

VMware supports USB passthrough natively, but smart cards require specific attention. There are two approaches: passing through the entire USB CAC reader device, or using VMware’s smart card sharing feature.

USB Device Passthrough (Recommended):

With your VM powered off, go to VM > Settings > USB Controller. Ensure “USB compatibility” is set to USB 2.0 or USB 3.0 (match your physical CAC reader type—most work best with USB 2.0 compatibility selected).

Power on the VM and insert your CAC. Go to VM > Removable Devices and find your CAC reader (typically shows as “SCM Microsystems” or “ACS” depending on your reader model). Select “Connect (Disconnect from host).”

The guest OS now has exclusive access to your CAC reader. You’ll need to install the appropriate drivers inside the guest if it doesn’t recognize the reader automatically.

Smart Card Sharing:

VMware Workstation Pro supports smart card sharing without USB passthrough. This keeps the reader connected to the host while sharing certificates with the guest. Enable this in VM > Settings > Options > USB > Share smart cards with the virtual machine.

Smart card sharing works well when you need CAC access on both host and guest simultaneously, but some DoD applications are finicky about this approach. If you encounter issues, switch to full USB passthrough.

VirtualBox CAC Setup

Oracle VirtualBox requires the Extension Pack for USB 2.0/3.0 support—the base VirtualBox installation only supports USB 1.1, which causes reliability issues with CAC readers. Download and install the Extension Pack from the VirtualBox website before proceeding.

Shut down your VM and open Settings. Navigate to USB and select “USB 2.0 (EHCI) Controller” or “USB 3.0 (xHCI) Controller.” Click the “Add USB device filter” icon (USB plug with plus sign).

Insert your CAC and CAC reader. In the USB device filter dialog, your reader should appear in the dropdown. Select it to create a filter. This tells VirtualBox to automatically pass this specific device to the guest whenever it’s connected.

Start your VM. Open Device Manager in the guest to confirm the CAC reader is present. If Windows doesn’t recognize the reader, you may need to install drivers manually from your reader manufacturer’s website.

Guest Operating System Configuration

Once the CAC reader is passing through to your VM, the guest operating system still needs proper configuration:

Install DoD Certificates: Run InstallRoot inside the guest VM. The host’s certificate installation doesn’t transfer to guests—each VM needs its own certificate chain installed.

Smart Card Services: Ensure the Smart Card service is running in the guest (services.msc > Smart Card). Some VM templates disable this service by default.

Browser Configuration: Each browser in the guest needs its own certificate and security device configuration. Don’t assume Firefox or Chrome will automatically find your CAC.

Common Issues and Solutions

Reader Connects But No Card Detected: Try USB 2.0 mode instead of USB 3.0 in your VM settings. USB 3.0 passthrough is less reliable for smart cards in some hypervisor versions.

Reader Keeps Disconnecting: Disable USB selective suspend on the host machine. VM USB passthrough is sensitive to power management interruptions.

Slow Card Response: If PIN entry or certificate selection takes forever, your VM may be resource-constrained. Ensure the guest has adequate RAM (minimum 4GB for DoD workloads) and CPU allocation.

No PIN Prompt: The smart card minidriver may not be installed in the guest. For Windows guests, the inbox drivers usually work, but some readers need vendor-specific middleware. Check Device Manager for any yellow warning icons.

Linux Guest Considerations

For Linux VMs, USB passthrough works similarly, but you’ll need OpenSC and appropriate PKCS#11 modules installed in the guest. The pcsc-lite package provides the PC/SC layer for smart card communication. Configure your browser to use the OpenSC PKCS#11 module for CAC certificate access.

Testing Your Setup

After configuration, test by accessing a DoD PKI-enabled site like milConnect or your organization’s web portal. If you can successfully authenticate with your CAC inside the VM, your passthrough configuration is working correctly. Bookmark that site as your “CAC test page” for future troubleshooting.

John Bigley

John Bigley is a former DoD IT specialist with over 12 years of experience supporting CAC authentication systems and military network infrastructure. He specializes in troubleshooting smart card issues and helping service members navigate DoD technology requirements.

You May Also Like

More From Author

CAC Over Remote Desktop: The RDP Settings That Work

Leave a Reply

Your email address will not be published. Required fields are marked *