Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)

Enable secure, passwordless RDP access to on-prem servers using Smart Cards with FIDO2 Security Keys. This approach leverages Kerberos PKINIT and certificate-based authentication to enhance protection and eliminate password risks.

Hello Everyone, in my previous blog, I discussed how to use FIDO2 Security Key Passwordless Authentication with Entra or Hybrid Joined devices for Remote Desktop Connection. In this blog, we will dis...

Updated Apr 06, 2025

Version 1.0

Farooque

Microsoft

Joined October 24, 2020

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

UweGradenegger

Copper Contributor

Jun 23, 2025

Hey all,

you can even make the CA cryptographically prove that these certificates are secured with a security key (if it's a YubiKey). TameMyCerts is an open source policy module for Microsoft ADCS and now has working support for YubiKey PIV attestation integrated, which allows to perform PIV attestation on YubiKeys with Microsoft ADCS.

https://www.gradenegger.eu/en/yubikey-piv-attestation-with-the-tamemycerts-policy-module-for-microsoft-active-directory-certificate-services-adcs/'s an introductory post on how it works.

https://docs.tamemycerts.com/#yubikey-piv-attestation's the documentation.

https://github.com/Sleepw4lker/TameMyCerts's the project on GitHub.

Kind regards

Uwe

Blog Post

Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)

Enable secure, passwordless RDP access to on-prem servers using Smart Cards with FIDO2 Security Keys. This approach leverages Kerberos PKINIT and certificate-based authentication to enhance protection and eliminate password risks.