Feb 20 2024 09:45 PM - edited Feb 20 2024 09:49 PM
Hello everyone,
I'm trying to install an RDS farm with fido2 (Yubikey).
I think I have created the conditions.
The farm is onPrem (hybrid joined), the FIDO2 key is registered in Entra.
The farm works correctly with normal credentials.
However, setting up the FIDO2 key is giving me a headache.
If I log in directly to one of the session hosts, FIDO2 works. But if I want to log in via the session broker, as it should be. I am connected to the session broker as a host and not forwarded to the hosts.
But I only found this out by chance when I added the user to the Remodesktopuser group on the broker as a test. Otherwise you just get the message: "Access to the session was denied" and the broker's event log says "Couldn't find the file"
####################
redirectclipboard:i:1
redirectprinters:i:0
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:4
full address:s:RDS-TEST-BR.xxxxxxxxxxxxx
gatewayhostname:s:rds-test.xxxxxxxxxxxxx
workspace id:s:RDS-Test-BR.xxxxxxxxxxxxx
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Test
use multimon:i:1
alternate full address:s:RDS-TEST-BR.xxxxxxxxxxxxx
screen mode id:i:2
desktopwidth:i:800
desktopheight:i:600
winposstr:s:0,3,0,0,800,600
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
audiomode:i:0
redirectlocation:i:0
redirectwebauthn:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewaybrokeringtype:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
enablerdsaadauth:i:1
username:s:yubikey@xxxxxxxxxxxxx
####################
Apr 24 2024 02:01 PM
May 13 2024 04:46 AM - edited May 13 2024 04:47 AM
@ALAIN_CH69475as far as I know, the rds gateway is unable to support fido authentication.
If you just connect to the farm through the broker, that fido authentication should be fine.
fido is also only working with windows server 2022 and the client must be a current windows 10 or 11.
And in in the rdp client you need to select "WebAuthn (Windows Hello or Security Key)".
May 14 2024 06:48 AM
May 16 2024 06:33 AM
@ALAIN_CH69475the broker and the rds session hast must be at least windows server 2022.
you can perform an inplace upgrade, you should disable any antivirus software before the upgrade.
May 21 2024 04:58 AM
Hi @1993Nik
Yes, you are right, and that is my problem.
The direct connection to the host works.
But the connection to the gateway does not.
The server is Windows Server 2022 21H2 and the client is Windows 11.
I have overlooked something, but unfortunately I can't find it.
May 21 2024 05:35 AM
@Jochen81 as I mentioned, there are only two options to connect to your rds hosts with fido:
as far as I know it is not possible to connect through a rds gateway server to a session host with fido. the gateway does not accept fido authentication.
What is the purpose of your rds gateway? is the gateway published in the internet?
It seems like you are also from germany, if you want we can have a quick call about your problem. Just send me a private message, then we can exchange contact details.