PuTTY-CAC from Windows VM running in QEMU/KVM

[ferragusNM]

Here's the setup: FreeIPA with external trust to (.gov) Active Directoy controller. PuTTY-CAC to client linux box from physical Windows workstation (Win10) works fine. On a Linux Workstation, using QEMU Virtual Machine Manager, we open a console into a locally running VM with Windows 10 on it. Using USB rediretion we aupply the PIV card to said VM and all is well. From the VM, RDP into other Windows resources is also fine, but PuTTY-CAC into linux client now fails. Any ideas on if I should even try to figure this out? From native linux I can use openssh and pcscd to make the ssh connection, so I can live without PuTTY-CAC on the windows VM running on that system.
Thoughts and comments appreciated.

[NoMoreFood]

I can’t say I’ve run across that particular setup.

RDP often takes a specialized route for smartcard redirection so that may be why it behaves differently. Do you have the smartcard mini driver (e.g., OEM or ActiveClient) installed on the VM and is it the same version on the physical client?

Also does certutil -scinfo complete successfully on both?

[ferragusNM]

Interesting. I'm working remote today, so I'm on the Physical Windows workstation and VPN'd into the systems in question (which is the setup that works without problems - maybe I can use this to pitch going back to 100% WFH?) Ran certutil -scinfo on the physical box just to have a baseline, no problems of course, then RDP's into a VMware Windows VM (where PuTTY-CAC works) and the certutil command hangs. So as you said "RDP often takes a specialized route for smartcard redirection". I'll be in the office Friday where I can test things further. Thanks and Happy Thanksgiving!

[NoMoreFood]

@ferragusNM Any luck with this?

[rbability]

I am not sure if this applies to your setup, but working with Windows, RDP, Certificates, FIDO and PuTTY-CAC I observed the following:

1. To use Certificates from a YubiKey with PuTTY-CAC we need to forward not the YubiKey / USB to a RDP session, but the Smartcards. This is an option in the RDP Client on Windows at least. And this way Smartcards can work through a long chain of RDP sessions if one wants to do that.
2. To use FIDO from a YubiKey with PuTTY-CAC on a RDP session, we need to enable RemoteFX USB Redirect and the 2 OS involved need to support it. The latter one is not true for older Windows 10 builds or Windows Servers below 2022. So with a relatively recent Windows 10 / 11 Client connecting to a Server 2022 RemoteFX USB Redirect enabled RDP session, we can forward the YubiKey properly and PuTTY-CAC is able to utilize its FIDO function. I wrote more detailed about it here: https://github.com/NoMoreFood/putty-cac/issues/106

[NoMoreFood]

Closing due to inactivity. Please reopen if necessary.