VMware vSphere

 View Only
Expand all | Collapse all

Can not enable passthrough USB etoken to guest OS.

DanBui

DanBuiAug 31, 2020 02:48 AM

  • 1.  Can not enable passthrough USB etoken to guest OS.

    Posted Aug 28, 2020 05:00 AM

    Hey guys,

    Now I want to connect USB etoken to Virtual Machine.

    etoken not show when add new device/Host USB device

    On Esxi host. Feitian token has been shown.

    I run cmd in cli.

    esxcli hardware usb passthrough device enable -d 1:4:096e:0703

    Nothing change.

    Did anyone know how to fix this?

    update: I follow this article

    VMware Knowledge Base

    but pcscd is already not running

    eToken still not list when add host USB device

    Best regards,



  • 2.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 02:48 AM

    Is there anyone can help me?



  • 3.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 05:20 AM

    How are you accessing the VM? Are you using VMware Workstation Pro or VMware Remote Console (VMRC)?

    After adding the line

    usb.generic.allowCCID = "TRUE"

    to the vmx of the VM,

    assuming that you use Workstation Pro or VMRC to access the VM, you should be able to see the CCID device in the "Removable Devices" menu of USB devices to connect to the VM.



  • 4.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 08:25 AM

    Thank you for you reply.

    I'm using Esxi 6.7 and Vsphere Vcenter 6.7.

    If I used VMRC, I'm able to connect the CCID USB device to VM by the "Removable Devices" menu, with this solution, if I close the VMRC, CCID USB auto disconnect.

    Therefore i need to plug CCID USB directly to Esxi host, and add CCID USB passthrough to VM



  • 5.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 08:36 AM

    I am not sure if this will work for you.

    https://kb.vmware.com/s/article/1648

    You could try adding to the vmx configuration file

    usb.autoConnect.device0 = "096e:0703"



  • 6.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 09:39 AM

    I have tried that solution. It does not work.

    I found a couple of reasons

    https://kb.vmware.com/s/article/55789

    When users use smart card as the authentication to log into ESXi shell, PCSCD is the smart card daemon that claims and controls smart card readers

    But PCSCD is not running.

    In other solution

    https://www.virtuallyghetto.com/2020/05/how-to-passthrough-usb-keyboard-mouse-hid-and-ccid-devices-to-vm-in-esxi.html

    I think that, the CCID usb device has been claim by Esxi.

    I added

    usb.quirks.device0 = "0x096e:0x0703 allow"

    to /etc/vmware/config file

    added

    CONFIG./USB/quirks=0x096e:0x0703::0xffff:UQ_KBD_IGNORE

    to /bootbank/boot.cfg

    it still does not work



  • 7.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 11:17 AM

    If you read carefully at the virtuallyghetto link that you sent, there is a note under step 3 that indicates the steps to add to the bootbank/boot.cfg is not required for CCID device. And besides that keyword UQ_KBD_IGNORE the KBD likely stands for KeyBoarD.

    The purpose of stopping the PCSCD is to stop ESXi from claiming it as KB55789 implies.

    Anyway, adding to /etc/vmware/config is to make it global (i.e. applies to all VMs) instead of having to add to individual VM vmx configuration file one-by-one.

    In the previous try with VMRC, if the device was not disconnected from the VM before shut down of the VM, there might be auto connect strings added by path (at least that is what happens with Workstation/Fusion).

    It is probably best to try on the vmx configuration level first rather than /etc/vmware/config.



  • 8.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 01:29 AM

    thank bluefirestorm.

    For security (policy) reason, eToken must be plugged to Esxi host, not via VMRC



  • 9.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 02:26 AM

    Have you tried using the autoconnect in the vmx configuration using the USB path instead of VID:PID?

    From the documentation, looks like ESXi goes by USB path instead of VID:PID for the autoconnect.

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-4C61BFEA-0EBD-4FED-B807-9E125A8AC81A.html

    The USB passthrough autoconnect feature identifies the device by using the USB path of the device on the host. It uses the physical topology and port location instead of the device identity.



  • 10.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 03:02 AM

    I have tried to config "USB path" instead of "VID:PID" for the autoconnect in the vmx configuration. but it did not work.

    I think that is not cause. Why is only eToken passthrouh diabled when it pluged to Esxi?



  • 11.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 03:25 AM

    You don't have to keep pasting that similar screenshot again and again. That was already in your original post. It doesn't progress the discussion.

    Anyway, was the USB path correct?

    FWIW, with an Ubuntu host with VMware Workstation Pro 15.5.6

    The output of lsusb -t

    /:  Bus 04.Port 1: Dev 1, class="root_hub", Driver=xhci_hcd/6p, 5000M

    /:  Bus 03.Port 1: Dev 1, class="root_hub", Driver=xhci_hcd/14p, 480M

        |__ Port 1: Dev 2, If 0, class="Human" Interface Device, Driver=usbhid, 1.5M

        |__ Port 2: Dev 3, If 1, class="Human" Interface Device, Driver=usbhid, 1.5M

        |__ Port 2: Dev 3, If 0, class="Human" Interface Device, Driver=usbhid, 1.5M

        |__ Port 4: Dev 4, If 0, class="Hub", Driver=hub/4p, 480M

            |__ Port 3: Dev 6, If 1, class="Audio", Driver=snd-usb-audio, 12M

            |__ Port 3: Dev 6, If 2, class="Human" Interface Device, Driver=usbhid, 12M

            |__ Port 3: Dev 6, If 0, class="Audio", Driver=snd-usb-audio, 12M

            |__ Port 4: Dev 7, If 0, class="Human" Interface Device, Driver=usbhid, 12M

            |__ Port 4: Dev 7, If 1, class="Human" Interface Device, Driver=usbhid, 12M

        |__ Port 5: Dev 8, If 0, class="Chip"/SmartCard, Driver=, 12M

        |__ Port 13: Dev 5, If 0, class="Wireless", Driver=btusb, 12M

        |__ Port 13: Dev 5, If 1, class="Wireless", Driver=btusb, 12M

    /:  Bus 02.Port 1: Dev 1, class="root_hub", Driver=ehci-pci/2p, 480M

        |__ Port 1: Dev 2, If 0, class="Hub", Driver=hub/8p, 480M

    /:  Bus 01.Port 1: Dev 1, class="root_hub", Driver=ehci-pci/2p, 480M

        |__ Port 1: Dev 2, If 0, class="Hub", Driver=hub/6p, 480M

    The autoconnect for the SmartCard reader inserted by Workstation Pro after VM shutdown without disconnecting the SmartCard reader.

    usb_xhci.autoConnect.device0 = "path:3/5 autoclean:1"

    So that would be bus 3, port 5. So it looks like path is bus and port number.

    The VM was configured with USB 3.1 gen 1 controller so I think that is why it shows up as usb_xhci

    I think for your case you would want autoclean to be 0.



  • 12.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 04:13 AM

    ok,

    this is output of lsusb -t

    In VM option I add Configuration Parameters

    It did not work.

    I also tried with

    usb.autoConnect.device0 = "path:1/5 autoclean:1"

    the same result



  • 13.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 05:57 AM

    It's hard to troubleshoot without any reference to the vmware.log of the VM.

    From your screenshot of lsusb -t, it looks like there are multiple devices connected to the same USB hub. It would look like those are device numbers instead of port number. If possible, I would suggest try plugging to that is not a hub. Otherwise you should look for the lower level port number as well.

    I think for your case you can leave out the autoclean altogether. Without the autoclean, the autoconnect will always remain there even if the device was not found. Or also try to autoconnect the Kingston thumb drive to see whether that also works. If the Kingston thumb drive does not autoconnect, something else is also wrong.

    From the vmware.log of the VM I have, the autoconnect searches for the path,

    I005: USB: Search for USB devices to connect [path:3/5]

    I005: SOCKET creating new socket, connecting to /var/run/vmware/usbarbitrator-socket

    Whether or not a device is connected, it still searches for it (I had removed the autoclean so the autoconnect string remains there even the device was not found).

    When the device is found

    I005: USB: Found device [name:OmniKey\ Smart\ Card\ Reader\ USB vid:076b pid:3021 path:3/5 speed:full family:smart-card arbRuntimeKey:6 version:3]

    I005: USB: Autoconnecting device "OmniKey Smart Card Reader USB" matching pattern [path:3/5] prefer usb_xhci

    I005: USB: Connecting device desc:name:OmniKey\ Smart\ Card\ Reader\ USB vid:076b pid:3021 path:3/5 speed:full family:smart-card arbRuntimeKey:6 version:3 id:0x10000006076b3021

    For multiple devices connected to the same USB hub, it uses port number underneath and not the device ID. I assume it takes the If 0 as precedence.

    I005: USB: Found device [name:Harman\ JBL\ Pebbles vid:05fc pid:0231 path:3/4/3 speed:full family:audio,hid serialnum:1.0.0 arbRuntimeKey:3 version:3]

    I005: USB: Found device [name:Wacom\ CTH-470 vid:056a pid:00de path:3/4/4 speed:full family:hid,hid-bootable arbRuntimeKey:1 quirks:allow version:3]

    You can see the path is 3/4/3 for the audio device and 3/4/4 for the HID.

    /:  Bus 03.Port 1: Dev 1, class="root_hub", Driver=xhci_hcd/14p, 480M

        |__ Port 4: Dev 4, If 0, class="Hub", Driver=hub/4p, 480M

            |__ Port 3: Dev 6, If 1, class="Audio", Driver=snd-usb-audio, 12M

            |__ Port 3: Dev 6, If 2, class="Human" Interface Device, Driver=usbhid, 12M

            |__ Port 3: Dev 6, If 0, class="Audio", Driver=snd-usb-audio, 12M

            |__ Port 4: Dev 7, If 0, class="Human" Interface Device, Driver=usbhid, 12M

            |__ Port 4: Dev 7, If 1, class="Human" Interface Device, Driver=usbhid, 12



  • 14.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 07:18 AM

    From the vmware.log of the VM

    I125: USB: Found device [name:Kingston\ DataTraveler\ 3.0 vid:0951 pid:1666 path:0/1/3 speed:high family:storage,storage-bulk serialnum:60A44CB4644AE361A7728390 arbRuntimeKey:2 version:3]

    I125: USB: Found device [name:Realtek\ USB3.0-CRW vid:0bda pid:0329 path:0/1/1/3 speed:super family:storage,storage-bulk serialnum:29203008282014000 arbRuntimeKey:1 version:3]

    I can not found Feitian etoken.

    In VM option I add Configuration Parameters

    usb_xhci.autoConnect.device0 = "path:0/1/3 autoclean:1"

    Autoconnect works well for Kingston data usb.

    I have tried with

    usb_xhci.autoConnect.device0 = "path:0/1/5 autoclean:1"

    path:0/1/5 is my assumption about eToken' path.

    It did not work



  • 15.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 07:36 AM

    Since the Kingston USB passthrough worked on path:0/1/3, have you tried plugging in the Feitian eToken on the same port where the Kingston USB was connected to? As it is based on USB port path, instead of VID:PID, assuming there is nothing else wrong, the Feitian eToken should work on the same port as where the Kingston USB was previously plugged in.

    If that doesn't work, there is probably not much else that can be done other than making sure the points in the KB are adhered to

    https://kb.vmware.com/s/article/55789?lang=en_us



  • 16.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 08:07 AM

    Ok, I unplugged Kingston USB.

    Plug the Feitian eToken to the same port as where the Kingston USB was previously plugged in

    in vmware.log

    I125: VUsbUpdateVigorFieldsAndAutoconnect: New set of 1 USB devices

    I125: USB: Found device [name:Realtek\ USB3.0-CRW vid:0bda pid:0329 path:0/1/1/3 speed:super family:storage,storage-bulk serialnum:29203008282014000 arbRuntimeKey:1 version:3]

    I125: Intel VT: FlexPriority enabled.

    That doesn't work,

    in my original post, I had shown that pcscd is not running

    I have added this Parameter to vmx config file of VM

    usb.generic.allowCCID = "TRUE"

    not work :smileysad:



  • 17.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 11:13 AM

    In the vmware.log of the VM, do you see a section

    I005: USB: Initializing 'Virtual CCID' backend

    You could try adding the line

    usb.ccid.disable = "TRUE"

    to the vmx configuration of the VM.

    That line disables the shared SmartCard reader feature in Workstation/Fusion. I don't know if this has any effect on ESXi.

    I005: USB: Initializing 'Virtual CCID' backend

    I005: USB-CCID:  CCID backend is disabled in the config file.

    I005: USB: Unable to initialize 'Virtual CCID' backend

    Without the line the shared SmartCard reader is initialised. Depending on SmartCard reader brands/models, sometimes the shared SmartCard reader feature disables the passthrough in Workstation/Fusion.

    I005: USB: Initializing 'Virtual CCID' backend

    I005: USB-CCID:  dlopened default libpcsclite.so.1.

    usbCCIDEnumCards| I005: VTHREAD 140239272146688 "usbCCIDEnumCards" tid 2941

    usbCCIDEnumCards| I005: USB-CCID: Card enum thread created.



  • 18.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 04, 2020 03:46 AM

    sorry for the late reply

    I offline for a few days.

    I searched carefully in vmware.log and can not find this section

    Initializing 'Virtual CCID' backend


  • 19.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Mar 24, 2021 02:39 PM

    I have the same problem. Did you find a solution?

    Thanks!

     



  • 20.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 09:56 AM

    Please change the USB Controller version/type (2/3/3.1) on the VM settings, and then try for your token detection once again.



  • 21.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 10:08 AM

    I tried all USB Controller version/type (2/3) on the VM settings.

    But my token is till not list in add New host USB device



  • 22.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 31, 2020 10:36 AM

    Can you check it with: 1. Another physical USB port 2. Another ESXi host 3. Another VM? and give back the result?!



  • 23.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Sep 01, 2020 01:26 AM

    1. check with another physical USB (data USB) plug in to same port.

    the USB has been listed in add Host USB Device

    2. I have plugged etoken to another Esxi host. its still passthrough = disable

    3. In another Esxi host, as mentioned above, when etoken passthrough disabled, it not listed in setting of other VM



  • 24.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Aug 10, 2021 03:00 PM

    I have the same problem. Did you find a solution?

    Thanks!



  • 25.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Dec 02, 2022 01:27 PM

    i have the same problem in 1 etoken

    1 work and 1 not work



  • 26.  RE: Can not enable passthrough USB etoken to guest OS.

    Posted Jan 16, 2023 01:22 PM

    it's 2023 and this issue remains, I have the exact same problem now and it's all dead ends