RDS Farm with FIDO2 Key

Question

Hello everyone,I'm trying to install an RDS farm with fido2 (Yubikey).I think I have created the conditions.The farm is onPrem (hybrid joined), the FIDO2 key is registered in Entra.The farm works correctly with normal credentials.However, setting up the FIDO2 key is giving me a headache.If I log in directly to one of the session hosts, FIDO2 works. But if I want to log in via the session broker, as it should be. I am connected to the session broker as a host and not forwarded to the hosts.But I only found this out by chance when I added the user to the Remodesktopuser group on the broker as a test. Otherwise you just get the message: "Access to the session was denied" and the broker's event log says "Couldn't find the file"&nbsp;####################redirectclipboard:i:1redirectprinters:i:0redirectcomports:i:1redirectsmartcards:i:1devicestoredirect:s:*drivestoredirect:s:session bpp:i:32prompt for credentials on client:i:1server port:i:3389allow font smoothing:i:1promptcredentialonce:i:1gatewayusagemethod:i:2gatewayprofileusagemethod:i:1gatewaycredentialssource:i:4full address:s:RDS-TEST-BR.xxxxxxxxxxxxxgatewayhostname:s:rds-test.xxxxxxxxxxxxxworkspace id:s:RDS-Test-BR.xxxxxxxxxxxxxuse redirection server name:i:1loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Testuse multimon:i:1alternate full address:s:RDS-TEST-BR.xxxxxxxxxxxxxscreen mode id:i:2desktopwidth:i:800desktopheight:i:600winposstr:s:0,3,0,0,800,600compression:i:1keyboardhook:i:2audiocapturemode:i:0videoplaybackmode:i:1connection type:i:7networkautodetect:i:1bandwidthautodetect:i:1displayconnectionbar:i:1enableworkspacereconnect:i:0disable wallpaper:i:0allow desktop composition:i:0disable full window drag:i:1disable menu anims:i:1disable themes:i:0disable cursor setting:i:0bitmapcachepersistenable:i:1audiomode:i:0redirectlocation:i:0redirectwebauthn:i:1redirectposdevices:i:0autoreconnection enabled:i:1authentication level:i:2prompt for credentials:i:0negotiate security layer:i:1remoteapplicationmode:i:0alternate shell:s:shell working directory:s:gatewaybrokeringtype:i:0rdgiskdcproxy:i:0kdcproxyname:s:enablerdsaadauth:i:1username:s:yubikey@xxxxxxxxxxxxx####################

alain_ch69475 · Answer

HI Jochen81can someone help you ?i have the same problem ,FIDO not works at all with RDPi have the same infrastracture , Server RDS onPrem FIDOKey ok in ENTRA for Login windows with code Pin and KeyBrAlain

1993nik · Answer

ALAIN_CH69475as far as I know, the rds gateway is unable to support fido authentication.

If you just connect to the farm through the broker, that fido authentication should be fine.

fido is also only working with windows server 2022 and the client must be a current windows 10 or 11.

And in in the rdp client you need to select "WebAuthn (Windows Hello or Security Key)".

alain_ch69475 · Answer

Hi Thank for you replymy server is 2019 windows , do you have a quick procédure for the Farm Broker with FIDOi know about webauthn to be selected on my RDP clientBrAlain

1993nik · Answer

ALAIN_CH69475the broker and the rds session hast must be at least windows server 2022.you can perform an inplace upgrade, you should disable any antivirus software before the upgrade.

jochen81 · Answer

Hi 1993Nik&nbsp;&nbsp;Yes, you are right, and that is my problem.The direct connection to the host works.But the connection to the gateway does not.The server is Windows Server 2022 21H2 and the client is Windows 11.I have overlooked something, but unfortunately I can't find it.&nbsp;

Forum Discussion

RDS Farm with FIDO2 Key

Share

Resources