• Create a virtual USB key
• Install VMware PowerCli (with or without Internet)

If you have a test server on VMware ESXi 6.7 and you are testing the use of smart cards on one of your virtual machines, you may have had the reflex to connect the card reader directly to your server.
However, you have surely noticed that it doesn't work.
Indeed, VMware doesn't support this method and recommends connecting the smart card reader to the client computer to avoid a conflict on your server.
In addition, in business, you will rarely have access to the VMware ESXi server which may even be in a data center (in some cases) and to which you will therefore not have physical access.

1. Unable to pass a server-connected smart card reader to a virtual machine
2. Driver installed on the physical PC
3. Use smart card reader via VMware Remote Console (VMRC)
   1. Connect the physical smart card reader
   2. Connect the virtualized smart card reader
4. Use smart card reader via VMware Workstation Pro

1. Unable to pass a server-connected smart card reader to a virtual machine

If you have the smart card reader plugged into your VMware ESXi 6.7 server, you are trying to change the configuration of the virtual machine you want to plug it into.

You click on "Add other device -> USB device" and you select your card reader (in our case : OmniKey Smart Card Reader USB) in the "New USB device" list.
Then, you click Save.

But, VMware ESXi shows you an error :

Plain Text

Failed to reconfigure virtual machine [VM name]. Cannot connect 'vid:076b pid:3022 path:0/1/2/2/3' to this virtual machine. The device was not found.

Note : "vid:076b pid:3022" is the identifier of your card reader and "path" varies according to the USB port on which you plugged your card reader.

This error appears when trying to pass a card reader to a virtual machine via USB passthrough, because VMware has disabled this feature.
Indeed, the passage via the USB passthrough of a card reader would create a conflict on your server at the level of the "PCSCD" service which manages the smart card readers.
To avoid this conflict, VMware has disabled this possibility. Which causes this "Device not found" error.

Note that VMware allows this feature to be re-enabled if desired, but this is not recommended, as smart card login to the ESXi shell will no longer be possible.

Source : Unable to passthrough a USB smart card reader to a guest operating system in ESXi version 6.x and later (55789).

2. Driver installed on the physical PC

As explained previously, to use your smart card reader from a virtual machine hosted on your VMware ESXi hypervisor, you will need to connect your smart card reader to your client PC.
As you can see, in our case, our card reader is connected to our client PC.

3. Use smart card reader via VMware Remote Console (VMRC)

To use your card reader from your virtual machine via the free "VMware Remote Console (VMRC)" program, download this program by clicking on "Console -> Download VMRC".
Then, once the program is installed on your computer, click on : Console -> Launch remote console.

3.1. Connect the physical smart card reader

If you click on "VMRC -> Removable Devices", you will see that you can connect your card reader in 2 ways :

• OmniKey Smart Card Reader USB : connect your physical smart card reader only to this virtual machine.
  The advantage is that the guest OS will see your real smartcard reader (which is not the case with the option below).
  In this case, once the smart card reader is connected to this virtual machine, it can't be connected to another virtual machine. Unless you disconnect it from the virtual machine concerned to be able to connect it to another virtual machine.
• Shared OMNIKEY AG Smart Card Reader USB 0 : connect a virtualized smart card reader that allows access to the smart card (when desired).
  The advantage is that this will be shared by VMware Remote Console (VMRC) and you can therefore connect it to several virtual machines simultaneously if you wish.
  You will also have the option of virtually removing or inserting the smart card that is physically in the relevant smart card reader from the VMware Remote Console interface.

Note that you can also use these devices by clicking on the "<<" icon (located at the top right of the window).

For now, connect the physical smart card reader by clicking : VMRC -> Removable Devices -> OmniKey Smart Card Reader USB -> Connect (Disconnect from Host).

As you can see, once the physical smart card reader is connected to your virtual machine, the corresponding "Shared OMNIKEY AG Smart Card Reader USB 0" option disappears from the list.
Indeed, your physical computer no longer has access to it since it's connected to your virtual machine.

If you click on the icon located in the taskbar which allows you to eject some devices, you will see that your card reader is recognized under the name : Smart Card Reader USB.
Which means the operating system sees the real smart card reader.

In the device manager of the virtual machine, you will see it appear under the name : Microsoft Usbccid Smartcard Reader (WUDF).

3.2. Connect the virtualized smart card reader

As explained previously, the "Shared OMNIKEY AG Smart Card Reader USB 0" option allows you to provide a virtualized smart card reader to the virtual machine from your physical smart card reader.
To do this, disconnect the physical smart card reader connected previously (if applicable), then click on : VMRC -> Removable Devices -> Shared OMNIKEY AG Smart Card Reader USB 0 -> Connect.

Important : as you can see by clicking on the eject icon present in the taskbar, this time, it's a virtual "Virtual USB CCID" smart card reader.
Of course, the smart card you insert into the physical smart card reader will be visible in the virtual smart card reader.
However, the operating system will not see the real model of your smart card reader. This can therefore be a problem in some cases.

To avoid these problems, we advise you to connect the physical smart card reader rather than using this "Shared ... Smart Card Reader USB 0" option.

4. Use smart card reader via VMware Workstation Pro

If you have VMware Workstation Pro, you can use your smart card reader connected to your physical computer in the same way.
Connect to the console of your virtual machine by clicking on "Console -> Launch remote console" in the web interface of your VMware ESXi hypervisor or by connecting to your VMware ESXi hypervisor from the menu "File -> Connect to Server" of VMware Workstation Pro.

At the bottom right of the window, you will find 2 icons that correspond to your card reader :

• the 1st corresponds to the "OmniKey Smart Card Reader USB" option which allows you to connect your physical smart card reader only to this virtual machine.
• the 2nd corresponds to the "Shared OMNIKEY AG Smart Card Reader USB 0" option which allows you to connect a virtualized smart card reader to this virtual machine.
  The physical smart card reader is therefore shared by VMware Workstation Pro to also remain accessible from other virtual machines if desired.

To connect your smart card reader, click on one of the 2 icons (framed in red on the image below), then click on "Connect (Disconnect from Host)".
Note that you could also do it as under VMware Remote Console by going to the "VM -> Removable Devices" menu which again contains the options :

• OmniKey Smart Card Reader USB : connect the physical smart card reader to the virtual machine.
• Shared OMNIKEY AG Smart Card Reader USB 0 : connect a virtualized smart card reader that can be shared with multiple virtual machines.

Again, if you connect the physical smart card reader (OmniKey Smart Card Reader USB), Windows will detect it under the name : Smart Card Reader USB.

On the other hand, if you choose the virtualized smart card reader (Shared OMNIKEY AG Smart Card Reader USB 0), then it will be seen under the name : Virtual USB CCID.