Blog Post

Core Infrastructure and Security Blog
7 MIN READ

Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)

Farooque's avatar
Farooque
Icon for Microsoft rankMicrosoft
Apr 07, 2025

Enable secure, passwordless RDP access to on-prem servers using Smart Cards with FIDO2 Security Keys. This approach leverages Kerberos PKINIT and certificate-based authentication to enhance protection and eliminate password risks.

Hello Everyone, in my previous blog, I discussed how to use FIDO2 Security Key Passwordless Authentication with Entra or Hybrid Joined devices for Remote Desktop Connection. In this blog, we will dis...
Updated Apr 06, 2025
Version 1.0
Active Directory
Domain
fido2
passwordless
Passwordless Authentication
smartcard
mamoreau's avatar
mamoreau
Iron Contributor
Apr 08, 2025

This is a great guide on how to set up smartcard authentication for RDP, but how is this FIDO2? The type of authentication shown here leverages WinSCard APIs, not WebAuthn APIs, you can only get true FIDO2 with RDS AAD authentication

  • ajf8729's avatar
    ajf8729
    Copper Contributor
    Apr 08, 2025

    This, 100%. FIDO2 and PIV are two different technologies altogether. Not all security keys support PIV, in fact, Yubico's "security key" is ONLY FIDO2, and you need a full YubiKey to support both FIDO2 and PIV. Great article about setting up PIV, but needs some serious clarifications.

    • Farooque's avatar
      Farooque
      Icon for Microsoft rankMicrosoft
      Apr 08, 2025

      Hey ajf8729, I completely agree with your point. In fact, I specifically mentioned in my blog that we're using a smart card, and highlighted that some vendors provide the PIV feature in their security keys. In my case, I’m using a YubiKey which supports PIV and allows storing a certificate securely. The reason I included “FIDO2 security key” in the title was to raise awareness so that if someone is planning to buy a security key, they can also look for PIV support in case their use case requires it.

      Appreciate your input!

  • Farooque's avatar
    Farooque
    Icon for Microsoft rankMicrosoft
    Apr 08, 2025

    Hey mamoreau you are right, the mechanism behind the scene is scmart card. Since many people are now a days using FIDO2 Security keys, and some vendor are also supporting PIV feature to store certificate, so in order to make use of this PIV feature, I used word FIDO2 in title. If you go through my blog, I specifically mentioned that its smart card certificate based authentication and FIDO2 security key is just a holder.

    • mamoreau's avatar
      mamoreau
      Iron Contributor
      Apr 08, 2025

      Using "FIDO2" together with "Passwordless RDP authentication for on-prem servers" is going to bring a lot of traffic from people thinking there is a way to get FIDO2 working with Windows Server on-premises, without hybrid-join and RDS AAD authentication. There's already a lot of confusion in the industry about smartcards versus FIDO2, especially since many devices support both. You clarify it further down in the article that it's "regular" smartcards, but still use FIDO2 in the template names, etc. In fact, the article doesn't even show a path to FIDO2 support, so I wonder why it's even mentioned. A lot of IT administrators would go nuts if Microsoft suddenly supported FIDO2 truly on-premises for RDP authentication, but it's unlikely to ever happen at this point (aside from hybrid-joined systems).

      • Jordan Mills's avatar
        Jordan Mills
        Copper Contributor
        Apr 12, 2025

        The title keyword spam got me.  This really needs to be updated.  Or replaced by someone who understands the components involved.