Forum Discussion
Logging on to Remote Desktop using Windows Hello for Business & Biometrics
Although late, we have published information around WHfB with RDP :
Great i live the fact the Microsoft links never work
The method that has seemed to work best for us is to enable Remote Credential Guard which works directly with Windows Hello for Business to provide SSO RDP. We made our environment all RCG friendly by applying the DisableRestrictedAdmin registry item and the "Remote host allows delegation of non-exportable credentials" GPO setting at the domain level, then applied the "Restrict delegation of credentials to remote servers" just to the laptops OU. If your RDP servers access other RDP resources internally, then you may want to apply RCG settings to those too to make nested RDP SSO.
The only issue is if you have any pre-2016 RDP servers, which don't support RCG, as clients will refuse to connect to any RDP server that doesn't support RCG (wish MS had an exception list for this!). A couple work arounds for these legacy RDP servers is, 1) to use the RDWeb Web Client for those services until such time as they can be migrated to 2016/2019, 2) keep a 2016+ RDP server without RCG as a jump-off point for those services.
- Hello RossWalker,
I can't get Remote Credential Guard to authenticate successfully when connecting to a Remote Desktop Collection using a Remote Desktop Connection Broker. Should this even be possible?- RCG depends on Kerberos authentication so if that isn’t working properly or if you have redundant brokers setup, as Kerberos isn’t supported with redundant brokers (no shared service account support) then that will be the issue. If you do have redundant brokers then smart card will be you’re only alternative. For me when enabling key trust I was able to prevent the self signed smart card certificate from being created by setting group policy option to NOT enable smart card emulation then if you issue a smart card certificate through SCEP or group policy to users there won’t be a duplicate and then no prompting for a cert.
- I come with gifts for all! Gather round! Key-Trust + RDP = win!
fyi - we have this deployed in production
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certsClint Lechner all went well till I hit this command
certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txtCan't make heads or tail of what to leave or remove so if my template is called
"authenticationCertificate" how would this code above be formatted?
I think they overcomplicated it.
certutil -dstemplate "authenticationCertificate" > "Output.txt"note, "authenticationCertificate" is the name of the template within your CA. Output.txt is simply a text file that gets created in the same directory you're running that command.
- I saw that article and followed it, which was similar to what has already been posted about using endpoint mgr to deploy smart card certs to passport after the fact. The how-to for deploying them using an in-house CA was nice though.
It works, but had issue where RDP client would first pick the wrong cert and you would need to manually chose the correct cert so there is a cert ordering issue. Also, there is still the issue where only one RDP session can use the smart card cert at a time, is that for everyone or just me? We utilize multiple RemoteApp servers for line of business apps, so being able to log into multiple sessions simultaneously is needed.
Fix the certificate ordering issue and allow simultaneous access to the cert from multiple RDP sessions and then we might have a workable solution, but in the meantime we’re continuing to use Remote Credential Guard for domain computers which works very nicely except that RDP over UDP doesn’t work with it.- Crossposted on Reddit: https://www.reddit.com/r/sysadmin/comments/oxzj5f/using_certificate_authentication_for_rdp_in/
I've got a working key trust deployment and have created an AD CS template for user certificates as described in https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.
After obtaining the user certificate, I attempt to connect to another Windows device via RDP. Hello takes facial recognition/fingerprint, but gives the message , "An authentication error has occurred. The client certificate does not contain a valid upn, or does not match the client name in the logon request."
However, if I select "more choices" and select the UPN-based security device credential it works. If I remove the cert, it breaks, which leads me to assume that certificate is working. Judging on the other options listed under more choices it looks like fingerprint and face are trying to pass domain\samaccountname instead of UPN. Has anyone figured out a workaround for this?
