Blog Post

Core Infrastructure and Security Blog
7 MIN READ

Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)

Farooque's avatar
Farooque
Icon for Microsoft rankMicrosoft
Apr 07, 2025

Enable secure, passwordless RDP access to on-prem servers using Smart Cards with FIDO2 Security Keys. This approach leverages Kerberos PKINIT and certificate-based authentication to enhance protection and eliminate password risks.

Hello Everyone, in my previous blog, I discussed how to use FIDO2 Security Key Passwordless Authentication with Entra or Hybrid Joined devices for Remote Desktop Connection. In this blog, we will discuss how a FIDO2 Security Key can be used as a smart card for Remote Desktop Connection Protocol on on-prem Active Directory domain-joined servers. If you have not gone through my last article, you can click here. Many people have written several articles and blogs on similar topics, so I apologize if you find it duplicate.

Recently, a customer asked me whether it was possible to authenticate using a FIDO2 security key to connect to a remote on-prem domain joined server via RDP. I successfully enabled it for them and decided to write a blog on the topic. This is a great use case for administrators who frequently use high-privileged groups like Domain Admins and Enterprise Admins, as they should adopt passwordless authentication for secure day-to-day server management using smart card-based authentication. Basically, what I will be demonstrating here is Kerberos PKINIT (Public Key Cryptography for Initial Authentication in Kerberos), which is an extension of the Kerberos Authentication protocol that allows users to authenticate using certificates.

There are some vendors who facilitate PIV (Personal Identification Verification) in security keys for strong authentication. With PIV, we can use the security key to store certificates for authentication. So, let’s discuss how we can use this feature to go passwordless by accessing the remote desktop of servers.

First of all, we need a PKI infrastructure or a Certificate Server, which we can deploy on Windows Server by adding the Certificate Services role or using an existing one. Once we have a certificate server, we can configure the certificate templates for users and domain controllers. In order to use RDP for servers, both the client and domain controller (DC) need to have a valid certificate as they use mutual authentication. We can issue a “User or Smart Card Logon” certificate to users and a “Kerberos Authentication” certificate to DCs.

Before we get into settings and configuration, let’s understand how Kerberos PKINIT works at a high level, which will further help us understand the entire process of this activity. Kerberos Public Key Cryptography for Initial Authentication (PKINIT) in the Kerberos protocol enables the use of public key cryptography in the initial authentication exchange. It uses X.509 certificates (Smart Card) in place of a password to authenticate against the authentication server.

 

The key components involved here are:

  • The Domain Client running Windows 10/11, who wants to access a remote server over RDP.
  • The Domain Controller (KDC) running on at least Windows Server 2016, which authenticates users in Active Directory.
  • The Domain Member Server running on at least Windows Server 2016, which is the target system the client wants to connect to.
  • A Certificate Authority (CA) running on at least Windows Server 2016, which issues Kerberos Authentication and User or Smart Card Logon certificates.

 

Authentication Flow:

  • The Client selects a smart card during authentication, which sends an AS-REQ (Authentication Service Request) to the Domain Controller (KDC) containing the user’s X.509 certificate. It essentially signs the current time with its private key.
  • The Domain Controller validates the request by checking the times using the user’s public key.
  • Once the Domain Controller completes the validation, it issues a TGT (Ticket Granting Ticket) signed by the KDC certificate using its private key as an AS-REP (Authentication Service Reply) response.
  • The Client validates the TGT by verifying the KDC’s certificate.
  • Once the Client has the TGT, it can proceed to request a service ticket to connect to the target server.

 

It is important to note that if we have an Enterprise or AD-integrated Certificate Authority, the Root CA or Issuing CA's certificate will be automatically added to the Trusted Root Certification Authorities store in domain-joined systems. In case we use a standalone CA, we must manually add its certificate to the client machine’s Trusted Root Certification Authorities store.

Now, let’s go through the whole process step by step. We will first start by creating a template for the Domain Controller (DC) certificate and later for User certificates. We will also see how to configure Group Policy for certificate auto-enrollment to issue certificates to users and DCs.

 

 

Issue Kerberos Authentication Certificate to Domain Controller:

  • Go to the Certificate Server and open the Certificate Authority console.
  • Click on Templates and then click on Manage.
  • The Domain Controller (DC) requires the KDC Authentication certificate (1.3.6.1.5.2.3.5) EKU and Server Authentication (1.3.6.1.5.5.7.3.1) EKU.
  • Select the Kerberos Authentication template.
  • Select the Kerberos Authentication template and create a duplicate template.
  • Next, do not make any changes to the certificate template except for assigning a name under the General tab.
    • Go to the Security tab and ensure that only the Domain Controllers group is added with Read, Enroll, and Autoenroll permissions selected.
    • Under the Subject Name tab, ensure the DNS checkbox is selected.
  • Next, we need to issue the Kerberos Authentication certificate template to make it available for Domain Controllers (DCs) to request certificates.

Group Policy Configuration:

Next, we need to create a Group Policy for certificate auto-enrollment and link it to the Domain Controllers OU.

  • Open the GPO and go to Computer Configuration\Windows Settings\Security Settings\Public Key Policies.
  • Edit Certificate Service Client – Auto Enrollment Properties and select Renew Expired Certificate and update Certificate options as shown in picture below.
  • Go to Computer Configuration\Windows Settings\Security Settings\Public Key Policies and set "Certificate Services Client – Certificate Enrollment Policy" to Enabled.

We also need to create another Group Policy Object (GPO) and link it to the domain to enable additional policies for the Client & Server to accept smart card authentication for RDP connections.

This policy will determine how the system should behave when the smart card is removed. In this case, it will be set to disconnect the session.

  • Go to Computer Configuration\Windows Settings\Security Settings\Security Options and enable "Define this policy setting" and select option "Disconnect if a Remote Desktop Services Session"
  • Next, we will enable the use of smart cards by setting the policy "Allow ECC certificates to be used for logon and authentication" under: Computer Configuration\Administrative Templates\Windows Components\Smart Card

 

Create Smart Card Logon Certificate Template for Client:

Now, go back to the Certificate Server, open the Certificate Authority console, and open the Manage console by right-clicking on Certificate Templates.

  • Select the Smart Card Logon template, right-click, and choose Duplicate Template.
      • Under the Compatibility tab, set:
        • Certificate Authority to Windows Server 2016
        • Certificate Recipients to Windows 10/Windows Server 2016
  • Next, go to the General tab and assign a name of your choice. This is the same certificate that the user will see when they issue a smart card certificate to be stored in the FIDO2 Security Key.
  • Go to the Request Handling tab and:
  • Under Purpose, select "Include symmetric algorithms allowed by the subject."
  • Enable "For automatic renewal of smart card certificates, use existing key if a new key cannot be created."
  • To ensure the certificate is saved in the FIDO2 Security Key during the request, select "Prompt the user during enrollment and require user input when the private key is used."

Note: I tested the "Prompt the user during enrollment" option, but it did not work.

  • Next, go to the Cryptography tab and:
          • Under Provider Category, select "Key Storage Provider."
          • In Algorithm Name, choose "ECDH_P384" (assuming you meant P384, as P383 is not a standard option).
          • Under Cryptographic Provider, select "Request must be one of the following providers" and choose "Microsoft Smart Card Key Storage Provider."
          • Change Request Hash to "SHA256."
  • Next, go to the Security tab and:
  • Ensure the group containing Admins is added with Read and Enroll permissions.
  • Optionally, enable Autoenroll if needed.
  • Finally Click on OK to save the new template.

 

Let the Group Policy refresh automatically or manually force it by running  gpupdate /force. Once refreshed, the Domain Controller (DC) should receive a new Kerberos Authentication Certificate.

 

Enroll Client Smart Card Certificate:

On a Windows 10/11 device,

  • Open Command Prompt and run “certreq -enroll "<SmartCard Certificate Template Name>"
  • Ensure the appropriate Smart Card certificate is selected, then click Next to proceed with the certificate issuance.
  • Insert the FIDO2 Security Key.
  • Once the system detects the security key, it will prompt you to enter the PIN to store the certificate
  • The process of storing certificate in FIDO2 Security key completes and now we can test accessing server using RDP with security key

Testing:

Open mstsc.exe and enter the target server’s FQDN.

  • If the security key is detected by the system, it will prompt you to use the smart card for login.
  • Enter the PIN, and it should allow you to sign in successfully

Once authentication is successfully completed, RDP should load the desktop.

 

Troubleshooting:

During my research and extensive testing in my lab, I encountered few errors when enrolling certificates on the FIDO2 Security Key PIV.

One of the issues I faced was the smart card showing as locked. After troubleshooting, I found that sometimes the FIDO2 security key device driver provided by the vendor is not installed properly. Ensure that you follow the security key provider’s installation guide and install the latest driver on both the client and target server.

 

Another common error I encountered was: "The requested key container does not exist in smart card." This issue typically occurs when the FIDO2 Security Key driver is not installed properly on the target server. Again, refer to the FIDO2 security vendor’s documentation to install the correct driver.

.

Note: Ensure that when you attempt RDP to the target server, the user for whom you issued the smart card certificate is added to the "Remote Desktop Users" group on the target server.

If you are looking to use RDP from the internet, we have the option of KDC Proxy to use. You can refer this article here for more details.

I hope you found this blog useful in achieving passwordless authentication even for on-prem Active Directory domain-joined critical servers and I would like to thank you for reading this blog. Hopefully I will be back soon with some more interesting blogs.

Updated Apr 06, 2025
Version 1.0
Active Directory
Domain
fido2
passwordless
Passwordless Authentication
smartcard

14 Comments

  • UweGradenegger's avatar
    UweGradenegger
    Copper Contributor
    Jun 23, 2025

    Hey all,

    you can even make the CA cryptographically prove that these certificates are secured with a security key (if it's a YubiKey). TameMyCerts is an open source policy module for Microsoft ADCS and now has working support for YubiKey PIV attestation integrated, which allows to perform PIV attestation on YubiKeys with Microsoft ADCS.

    https://www.gradenegger.eu/en/yubikey-piv-attestation-with-the-tamemycerts-policy-module-for-microsoft-active-directory-certificate-services-adcs/'s an introductory post on how it works.

    https://docs.tamemycerts.com/#yubikey-piv-attestation's the documentation.

    https://github.com/Sleepw4lker/TameMyCerts's the project on GitHub.

    Kind regards

    Uwe

  • BrianITTX's avatar
    BrianITTX
    Copper Contributor
    Jun 17, 2025

    Setting up a new AD Certificate Server-based PKI for a Yubikey (or similar) multi-purpose security key that supports both FIDO2 and PIV authentication can be a foolhardy undertaking for a small organization, depending on existing infrastructure. Microsoft's other solutions generally involve RD Gateways or Azure Virtual Desktop, which can both potentially be more cost-effective and easier to maintain. Azure Bastion Host is another solution, but isn't cost effective in many scenarios.  

    Switching over to DC certs that are fully compliant with smart card specifications is a security requirement,  because key-based (cert) user authentication (via PIV) is inherently susceptible to theft and affected by employment status changes. One key consideration about using smart cards for authentication is the requirement of a highly available CRL, which can impact other domain services (including LDAPS) that may not required a highly-available CRL or full PKI to implement securely. 

    So, adding enough PKI resources to support this type of authentication would typically require at least 2 and potentially more additional servers to set up properly. There is also the risk of authentication outages  (which would have a critical and costly business impact) if the number of qualified admins is low. In my experience, even organizations with thousands of employees may only have one to three experienced admins that can support a full-featured PKI properly.

    Full-featured PKI can still be worthwhile, even for small organizations, but it's important to understand the associated costs as well as the risks, including the need for operational redundancy (and highly-trained administrators) before plunging head-first into a PKI setup to enhance RDP logon security. 

  • MMVader's avatar
    MMVader
    MCT
    Apr 11, 2025
    First of all, this is totally unrelated to anything regarding FIDO. This is simply SmartCard Logon utilizing a multi-protocol combo card.
    Secondly, you won't simply deploy ADCS (or Microsoft Certificate Server) onto an existing Windows box. ADCS is a critical identity management system (similar to Domain Controller and especially if you plan to use it for Smart Card Logon) and MUST be deployed, operated and secured as Tier 0 asset! If that CA system gets compromised, the forest is lost!
     
    If you going to explain PKINIT basics and authentication flow, you should give the full information with the proper links (and not just leave important parts out): 
    PKINIT as a Kerberos extension is defined in RFC 4556 and RFC 8636 and the Microsoft implementation is described in "MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol" (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pkca/d0cf1763-3541-4008-a75f-a577fa5e8c5b).
    The requirements for enabling PKINIT are as follows:
    1. All certificates used during PKINIT must chain to trusted root CAs
    2. All issuing CAs used in PKINT must be in NTAuth Certificate store in Active Directory
    3. KDC certificate must contain one of the following:
    • The OID for KDC Authentication (1.3.6.1.5.2.3.5).
    • The OID for Smartcard Logon (1.3.6.1.4.1.311.20.2.2).
    • The presence of the template name “DomainController” in the certificate.
    4. Client certificate must contain one of the following:
    • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • Client Authentication (1.3.6.1.5.5.7.3.2)
    • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    The authentication flow during interactive logon using a Smart Card is described in detail here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pkca/53dd48a1-8325-4c0f-971f-d8c538d07f96.
     
    When creating a certificate for the Domain Controller, we advice to limit the certificate EKUs to least requirements, which normally leads to only have "KDC Authentication" and "Server Authentication" in the Domain Controller Certificate (at least this is enough for PKINIT).
    For the User (Smart Card) certificate, we usually advice to again enable least requirements at certificate template level:
    • Purpose: Signature and Smart Card Logon
     
    There is normally NO need for the following certificate template settings:
    • Use existing key for automatic renewal of smart card certificates (this should only be enabled if the smart card is very short of key storage and no management process is available to refresh/re-initialize the smart card)
    • Prompt the user during enrollment and require user input when private key is used (smart card is anyway asking for PIN)
     
    At the cryptography tab, the CSP or KSP is based on the smart card vendor (not all cards are working with the Microsoft CSP/KSP). If vendor-based CSP or KSP is needed, it must be installed everywhere where the smart card is used to logon to.
     
    Also, there is no need to start smart card enrollment using certreq. Normally, we advice to use a certificate management system to keep control about the issued certificates and have an full audit trail. If that is not required, simply start certmgr.msc to request the certificate.
     
    When using the smart card to logon to any system, for most vendors, you'll need to install the appropriate minidrivers locally and at the remote systems, you are connecting to. In addition you'll have to ensure that smart card redirection is enabled on your RDP client. 
     
  • Chris7092's avatar
    Chris7092
    Copper Contributor
    Apr 09, 2025

    Thank you for the very detailed guide Farooque .
    I have configured the steps described, I have the smartcard certificate but in RDP authentication the smartcard unlocking requires PIN while I would like to make it work mainly with biometric data. Do you have any ideas on how to help me? Am I doing something wrong?
    Thank you very much!

    • Farooque's avatar
      Farooque
      Icon for Microsoft rankMicrosoft
      Apr 10, 2025

      Hey Chris7092 the security key I used has touch sensor, but it too did not work with PIV. I checked with vendor and they confirmed it.

  • mamoreau's avatar
    mamoreau
    Iron Contributor
    Apr 08, 2025

    This is a great guide on how to set up smartcard authentication for RDP, but how is this FIDO2? The type of authentication shown here leverages WinSCard APIs, not WebAuthn APIs, you can only get true FIDO2 with RDS AAD authentication

    • ajf8729's avatar
      ajf8729
      Copper Contributor
      Apr 08, 2025

      This, 100%. FIDO2 and PIV are two different technologies altogether. Not all security keys support PIV, in fact, Yubico's "security key" is ONLY FIDO2, and you need a full YubiKey to support both FIDO2 and PIV. Great article about setting up PIV, but needs some serious clarifications.

      • Farooque's avatar
        Farooque
        Icon for Microsoft rankMicrosoft
        Apr 08, 2025

        Hey ajf8729, I completely agree with your point. In fact, I specifically mentioned in my blog that we're using a smart card, and highlighted that some vendors provide the PIV feature in their security keys. In my case, I’m using a YubiKey which supports PIV and allows storing a certificate securely. The reason I included “FIDO2 security key” in the title was to raise awareness so that if someone is planning to buy a security key, they can also look for PIV support in case their use case requires it.

        Appreciate your input!

    • Farooque's avatar
      Farooque
      Icon for Microsoft rankMicrosoft
      Apr 08, 2025

      Hey mamoreau you are right, the mechanism behind the scene is scmart card. Since many people are now a days using FIDO2 Security keys, and some vendor are also supporting PIV feature to store certificate, so in order to make use of this PIV feature, I used word FIDO2 in title. If you go through my blog, I specifically mentioned that its smart card certificate based authentication and FIDO2 security key is just a holder.

      • mamoreau's avatar
        mamoreau
        Iron Contributor
        Apr 08, 2025

        Using "FIDO2" together with "Passwordless RDP authentication for on-prem servers" is going to bring a lot of traffic from people thinking there is a way to get FIDO2 working with Windows Server on-premises, without hybrid-join and RDS AAD authentication. There's already a lot of confusion in the industry about smartcards versus FIDO2, especially since many devices support both. You clarify it further down in the article that it's "regular" smartcards, but still use FIDO2 in the template names, etc. In fact, the article doesn't even show a path to FIDO2 support, so I wonder why it's even mentioned. A lot of IT administrators would go nuts if Microsoft suddenly supported FIDO2 truly on-premises for RDP authentication, but it's unlikely to ever happen at this point (aside from hybrid-joined systems).

  • armandolopezo's avatar
    armandolopezo
    Brass Contributor
    Apr 08, 2025

    thank you. I was thinking some time ago that I would like to use certificates or security keys for RDP and passwordless is better.

    • Farooque's avatar
      Farooque
      Icon for Microsoft rankMicrosoft
      Apr 08, 2025

      Hey armdan passwordless is the way to go. The deployment is very straight forward and simple. You use it for your PAW system as well.

      • nexsys-verona's avatar
        nexsys-verona
        Copper Contributor
        Jun 06, 2025

        HI, I followed all the instructions, but when I connect via RDP and enter the correct PIN, the remote system returns the following error: "This smart card could not be used. Additional details may be available in the system log"....but nothing showed into event viewer related to this error. I'm using yubico 5 NFC...