RDS Farm with FIDO2 Key

Copper Contributor

Hello everyone,
I'm trying to install an RDS farm with fido2 (Yubikey).
I think I have created the conditions.
The farm is onPrem (hybrid joined), the FIDO2 key is registered in Entra.
The farm works correctly with normal credentials.
However, setting up the FIDO2 key is giving me a headache.
If I log in directly to one of the session hosts, FIDO2 works. But if I want to log in via the session broker, as it should be. I am connected to the session broker as a host and not forwarded to the hosts.

But I only found this out by chance when I added the user to the Remodesktopuser group on the broker as a test. Otherwise you just get the message: "Access to the session was denied" and the broker's event log says "Couldn't find the file"

Jochen81_0-1708493933656.png

Jochen81_1-1708493983849.png

Jochen81_2-1708494268700.png

 

####################

redirectclipboard:i:1
redirectprinters:i:0
redirectcomports:i:1
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:4
full address:s:RDS-TEST-BR.xxxxxxxxxxxxx
gatewayhostname:s:rds-test.xxxxxxxxxxxxx
workspace id:s:RDS-Test-BR.xxxxxxxxxxxxx
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Test
use multimon:i:1
alternate full address:s:RDS-TEST-BR.xxxxxxxxxxxxx
screen mode id:i:2
desktopwidth:i:800
desktopheight:i:600
winposstr:s:0,3,0,0,800,600
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
audiomode:i:0
redirectlocation:i:0
redirectwebauthn:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewaybrokeringtype:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
enablerdsaadauth:i:1
username:s:yubikey@xxxxxxxxxxxxx

####################

6 Replies
HI Jochen81

can someone help you ?
i have the same problem ,
FIDO not works at all with RDP

i have the same infrastracture , Server RDS onPrem FIDOKey ok in ENTRA for Login windows with code Pin and Key

Br

Alain

@ALAIN_CH69475as far as I know, the rds gateway is unable to support fido authentication.

If you just connect to the farm through the broker, that fido authentication should be fine.

 

fido is also only working with windows server 2022 and the client must be a current windows 10 or 11.

And in in the rdp client you need to select "WebAuthn (Windows Hello or Security Key)".

Hi Thank for you reply
my server is 2019 windows , do you have a quick procédure for the Farm Broker with FIDO
i know about webauthn to be selected on my RDP client
Br

Alain

@ALAIN_CH69475the broker and the rds session hast must be at least windows server 2022.

you can perform an inplace upgrade, you should disable any antivirus software before the upgrade.

Hi @1993Nik 

 

Yes, you are right, and that is my problem.
The direct connection to the host works.
But the connection to the gateway does not.
The server is Windows Server 2022 21H2 and the client is Windows 11.

I have overlooked something, but unfortunately I can't find it.

 

@Jochen81 as I mentioned, there are only two options to connect to your rds hosts with fido:

  1. connect through your rds broker to your session host
  2. connect directly to your session host

 

as far as I know it is not possible to connect through a rds gateway server to a session host with fido. the gateway does not accept fido authentication.

 

What is the purpose of your rds gateway? is the gateway published in the internet?

 

It seems like you are also from germany, if you want we can have a quick call about your problem. Just send me a private message, then we can exchange contact details.