Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)
Hello Everyone, in my previous blog, I discussed how to use FIDO2 Security Key Passwordless Authentication with Entra or Hybrid Joined devices for Remote Desktop Connection. In this blog, we will discuss how a FIDO2 Security Key can be used as a smart card for Remote Desktop Connection Protocol on on-prem Active Directory domain-joined servers. If you have not gone through my last article, you can click here. Many people have written several articles and blogs on similar topics, so I apologize if you find it duplicate. Recently, a customer asked me whether it was possible to authenticate using a FIDO2 security key to connect to a remote on-prem domain joined server via RDP. I successfully enabled it for them and decided to write a blog on the topic. This is a great use case for administrators who frequently use high-privileged groups like Domain Admins and Enterprise Admins, as they should adopt passwordless authentication for secure day-to-day server management using smart card-based authentication. Basically, what I will be demonstrating here is Kerberos PKINIT (Public Key Cryptography for Initial Authentication in Kerberos), which is an extension of the Kerberos Authentication protocol that allows users to authenticate using certificates. There are some vendors who facilitate PIV (Personal Identification Verification) in security keys for strong authentication. With PIV, we can use the security key to store certificates for authentication. So, let’s discuss how we can use this feature to go passwordless by accessing the remote desktop of servers. First of all, we need a PKI infrastructure or a Certificate Server, which we can deploy on Windows Server by adding the Certificate Services role or using an existing one. Once we have a certificate server, we can configure the certificate templates for users and domain controllers. In order to use RDP for servers, both the client and domain controller (DC) need to have a valid certificate as they use mutual authentication. We can issue a “User or Smart Card Logon” certificate to users and a “Kerberos Authentication” certificate to DCs. Before we get into settings and configuration, let’s understand how Kerberos PKINIT works at a high level, which will further help us understand the entire process of this activity. Kerberos Public Key Cryptography for Initial Authentication (PKINIT) in the Kerberos protocol enables the use of public key cryptography in the initial authentication exchange. It uses X.509 certificates (Smart Card) in place of a password to authenticate against the authentication server. The key components involved here are: The Domain Client running Windows 10/11, who wants to access a remote server over RDP. The Domain Controller (KDC) running on at least Windows Server 2016, which authenticates users in Active Directory. The Domain Member Server running on at least Windows Server 2016, which is the target system the client wants to connect to. A Certificate Authority (CA) running on at least Windows Server 2016, which issues Kerberos Authentication and User or Smart Card Logon certificates. Authentication Flow: The Client selects a smart card during authentication, which sends an AS-REQ (Authentication Service Request) to the Domain Controller (KDC) containing the user’s X.509 certificate. It essentially signs the current time with its private key. The Domain Controller validates the request by checking the times using the user’s public key. Once the Domain Controller completes the validation, it issues a TGT (Ticket Granting Ticket) signed by the KDC certificate using its private key as an AS-REP (Authentication Service Reply) response. The Client validates the TGT by verifying the KDC’s certificate. Once the Client has the TGT, it can proceed to request a service ticket to connect to the target server. It is important to note that if we have an Enterprise or AD-integrated Certificate Authority, the Root CA or Issuing CA's certificate will be automatically added to the Trusted Root Certification Authorities store in domain-joined systems. In case we use a standalone CA, we must manually add its certificate to the client machine’s Trusted Root Certification Authorities store. Now, let’s go through the whole process step by step. We will first start by creating a template for the Domain Controller (DC) certificate and later for User certificates. We will also see how to configure Group Policy for certificate auto-enrollment to issue certificates to users and DCs. Issue Kerberos Authentication Certificate to Domain Controller: Go to the Certificate Server and open the Certificate Authority console. Click on Templates and then click on Manage. The Domain Controller (DC) requires the KDC Authentication certificate (1.3.6.1.5.2.3.5) EKU and Server Authentication (1.3.6.1.5.5.7.3.1) EKU. Select the Kerberos Authentication template. Select the Kerberos Authentication template and create a duplicate template. Next, do not make any changes to the certificate template except for assigning a name under the General tab. Go to the Security tab and ensure that only the Domain Controllers group is added with Read, Enroll, and Autoenroll permissions selected. Under the Subject Name tab, ensure the DNS checkbox is selected. Next, we need to issue the Kerberos Authentication certificate template to make it available for Domain Controllers (DCs) to request certificates. Group Policy Configuration: Next, we need to create a Group Policy for certificate auto-enrollment and link it to the Domain Controllers OU. Open the GPO and go to Computer Configuration\Windows Settings\Security Settings\Public Key Policies. Edit Certificate Service Client – Auto Enrollment Properties and select Renew Expired Certificate and update Certificate options as shown in picture below. Go to Computer Configuration\Windows Settings\Security Settings\Public Key Policies and set "Certificate Services Client – Certificate Enrollment Policy" to Enabled. We also need to create another Group Policy Object (GPO) and link it to the domain to enable additional policies for the Client & Server to accept smart card authentication for RDP connections. This policy will determine how the system should behave when the smart card is removed. In this case, it will be set to disconnect the session. Go to Computer Configuration\Windows Settings\Security Settings\Security Options and enable "Define this policy setting" and select option "Disconnect if a Remote Desktop Services Session" Next, we will enable the use of smart cards by setting the policy "Allow ECC certificates to be used for logon and authentication" under: Computer Configuration\Administrative Templates\Windows Components\Smart Card Create Smart Card Logon Certificate Template for Client: Now, go back to the Certificate Server, open the Certificate Authority console, and open the Manage console by right-clicking on Certificate Templates. Select the Smart Card Logon template, right-click, and choose Duplicate Template. Under the Compatibility tab, set: Certificate Authority to Windows Server 2016 Certificate Recipients to Windows 10/Windows Server 2016 Next, go to the General tab and assign a name of your choice. This is the same certificate that the user will see when they issue a smart card certificate to be stored in the FIDO2 Security Key. Go to the Request Handling tab and: Under Purpose, select "Include symmetric algorithms allowed by the subject." Enable "For automatic renewal of smart card certificates, use existing key if a new key cannot be created." To ensure the certificate is saved in the FIDO2 Security Key during the request, select "Prompt the user during enrollment and require user input when the private key is used." Note: I tested the "Prompt the user during enrollment" option, but it did not work. Next, go to the Cryptography tab and: Under Provider Category, select "Key Storage Provider." In Algorithm Name, choose "ECDH_P384" (assuming you meant P384, as P383 is not a standard option). Under Cryptographic Provider, select "Request must be one of the following providers" and choose "Microsoft Smart Card Key Storage Provider." Change Request Hash to "SHA256." Next, go to the Security tab and: Ensure the group containing Admins is added with Read and Enroll permissions. Optionally, enable Autoenroll if needed. Finally Click on OK to save the new template. Let the Group Policy refresh automatically or manually force it by running gpupdate /force. Once refreshed, the Domain Controller (DC) should receive a new Kerberos Authentication Certificate. Enroll Client Smart Card Certificate: On a Windows 10/11 device, Open Command Prompt and run “certreq -enroll "<SmartCard Certificate Template Name>" Ensure the appropriate Smart Card certificate is selected, then click Next to proceed with the certificate issuance. Insert the FIDO2 Security Key. Once the system detects the security key, it will prompt you to enter the PIN to store the certificate The process of storing certificate in FIDO2 Security key completes and now we can test accessing server using RDP with security key Testing: Open mstsc.exe and enter the target server’s FQDN. If the security key is detected by the system, it will prompt you to use the smart card for login. Enter the PIN, and it should allow you to sign in successfully Once authentication is successfully completed, RDP should load the desktop. Troubleshooting: During my research and extensive testing in my lab, I encountered few errors when enrolling certificates on the FIDO2 Security Key PIV. One of the issues I faced was the smart card showing as locked. After troubleshooting, I found that sometimes the FIDO2 security key device driver provided by the vendor is not installed properly. Ensure that you follow the security key provider’s installation guide and install the latest driver on both the client and target server. Another common error I encountered was: "The requested key container does not exist in smart card." This issue typically occurs when the FIDO2 Security Key driver is not installed properly on the target server. Again, refer to the FIDO2 security vendor’s documentation to install the correct driver. . Note: Ensure that when you attempt RDP to the target server, the user for whom you issued the smart card certificate is added to the "Remote Desktop Users" group on the target server. If you are looking to use RDP from the internet, we have the option of KDC Proxy to use. You can refer this article here for more details. I hope you found this blog useful in achieving passwordless authentication even for on-prem Active Directory domain-joined critical servers and I would like to thank you for reading this blog. Hopefully I will be back soon with some more interesting blogs.Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection
Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Desktop Connection (RDP)—a Zero Trust approach where passwordless authentication is enforced. Recently, a customer asked me whether they could secure their device and enforce passwordless authentication for RDP access. While some FIDO2 security keys can also be used as smart cards with Certificate-Based Authentication (CBA), I will cover that topic in my next blog. In this post, let's focus on how we can use Windows 10/11, the RDPAAD (Remote Desktop Protocol Azure AD Protocol), and WebAuthn to connect to Entra ID-joined or Hybrid-joined devices using a FIDO2 security key. If a user has never used or registered a FIDO2 security key, they should register it by visiting My Sign-Ins, clicking on Security Info, and selecting Add sign-in method. Once the FIDO2 security key is registered, complete the sign-in process and ensure the user can successfully authenticate to web applications using the security key. Configuring RDP for Entra ID-Joined Devices: For Entra ID-joined devices, follow these steps to enable RDP access using a FIDO2 security key: Ensure the user is a member of the local Remote Desktop Users group on the remote device. o Open PowerShell as Administrator and load the Microsoft Graph PowerShell module to connect to Entra ID (if needed). o Run the following command to add the user to the Remote Desktop Users group: o net localgroup "Remote Desktop Users" /add "AzureAD\user200@farooquetech.in" We can validate the configuration by opening Computer Management and checking the Local Users and Groups settings: Open Computer Management (compmgmt.msc). Navigate to Local Users and Groups → Groups. Locate and open the Remote Desktop Users group. Check if the Entra ID user we added appears in the list. This confirms that the user has been successfully added and can sign-in to remote machine using RDP. At this point, we can open Remote Desktop Connection (mstsc.exe) and attempt to connect to the remote device. Open Remote Desktop Connection (mstsc.exe). Click on the Advanced tab. Under User Authentication, ensure we select "Use a web account to sign in to the remote computer." This ensures that the RDP session leverages passwordless authentication with FIDO2 and WebAuthn for secure access. Enter the NetBIOS name of the remote computer in Remote Desktop Connection (mstsc.exe) and click Connect. On the sign-in page, enter the Entra ID account for which FIDO2 Security Key authentication is enabled. When prompted to choose a passwordless authentication method, select Security Key. Insert your FIDO2 security key, follow the prompts, and complete the authentication process. This ensures a secure, passwordless RDP connection to the remote device. Put the PIN and also touch your finger on Security Key to complete authentication. A consent is prompt to allow RDP Connection, select Yes. Post Authentication, we will see the desktop successfully loads. Remote Desktop Connection Access to Hybrid Entra ID-Joined Devices: Now, let's discuss how to establish RDP access for Hybrid Entra ID-joined devices. The process for Hybrid-joined devices differs slightly because these devices are joined to both Active Directory (AD) and Entra ID. This means authentication must be validated in both directories. To achieve this, we need to register an Active Directory Read-Only Domain Controller (RODC) object in Entra ID. This RODC object helps issue a partial Kerberos Ticket Granting Ticket (TGT) to the user after authentication with Entra ID. Note: This RODC object is not linked to any on-premises AD domain controller—it is simply an empty object in Entra ID used to enable Kerberos authentication. Enabling Entra ID Kerberos Authentication: To enable Entra ID Kerberos authentication, follow these steps: Open PowerShell as Administrator. Install the AzureADKerberos module (if not already installed): Execute below powershell commands Import-module “Import-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1" $domain = $env:USERDNSDOMAIN $userPrincipalName = admin@mngenvmcapXXX.onmicrosoft.com $domainCred = Get-Credential (Enter the Active Directory credentials) Once the command executes successfully, we can verify that the AzureADKerberos account has been created in Active Directory. Open Active Directory Users and Computer and under Domain Controller, check AzureADKerberos RODC object is created. This completes the AzureADKerberos configuration, enabling the use of FIDO2 Security Keys for authentication. Now, to establish an RDP connection, follow the same steps outlined earlier for Entra ID-joined devices. Enforcing Phishing-Resistant Passwordless Authentication for RDP: To ensure that Remote Desktop Protocol (RDP) always uses phishing-resistant passwordless authentication, we can enforce this through Conditional Access Policies in Entra ID. Sign in to the Entra ID portal. Go to Security → Conditional Access and create a new policy. Under Assignments, select the users or groups that require secure RDP access. In the Cloud apps or actions section, select “Microsoft Remote Desktop” with Application ID “a4a365df-50f1-4397-bc59-1a1564b8bb9c”. Under Grant Controls, choose Require authentication strength. Select Phishing-resistant authentication, which includes FIDO2 Security Keys Save and enable the policy. Note: For Hybrid Entra Joined machine, please ensure we do not use domain admin or any other AD high privileged account to logon else partial TGT will not be issued by Entra ID. I hope you found this blog helpful! In my next blog, I will cover how FIDO2 Security Keys can also be used for on-premises Active Directory domain-joined servers. Stay tuned!
