/
Remote Desktop Tunnel for WebAuthn

Remote Desktop Tunnel for WebAuthn

Owned by Howard Gilbert
Last updated: Jun 28, 2024
5 min read

It is possible to use Group Policy to enable a built in Microsoft support that allows Remote Desktop Connection to use a local Yubikey or Passkey on your local desktop to authenticate to Duo MFA in a Browser session running on a remote computer or a VM. The authentication is passed through the encrypted tunnel between the local and remote machine traditionally used to share disks and remote audio streams.

You must be an administrator of both machines to enable a non-default generic setting for “Plug and Play device Redirection.” On both machines you run the Group Policy Editor (gpedit.msc). You then click down through a sequence of “folder” selections

Computer Configuration
Administrative Templates
Windows Components
Remote Desktop Services

Client

On the client computer (where you will be sitting with the Yubikey or Phone) then choose

Remote Desktop Connection Client
RemoteFX USB Device Redirection
There is one item in this folder. Double click on “Allow RDP redirection of other supported RemoteFX USB devices from this computer. Initially there is no Policy and the default is not to allow this redirection. Opening the item produces a dialog box where you can change the state from “Not Configured” to “Enabled” and in a box you can decide to permit only Administrators or “Administrators and Users”.

With this policy change on the Client Windows comptuer, the Windows standard Remote Desktop Connection program will now display an extended list of sharable “devices”. On the initial connection box click on Show Options

image-20240628-130633.png

Then click the Local Resources tab and in Local devices and resources click the More … button

image-20240628-130821.png

You may have to scroll up a bit to expose the WebAuthn check box. Click it.

image-20240628-140814.png

Then click OK.

Important - If you scroll down farther in the devices that you can share, you will see a section with USB devices. If the Yubikey is plugged in, it will show up as a HID FIDO device. Do not share the Yubikey as a USB device with the remote computer. All you want to do is to tunnel the WebAuthn protocol with the checkbox shown above. Any USB device you share becomes unavailable to the Host computer while it is being shared. If you try to both tunnel WebAuthn and share the Yubikey then nothing works and the Yubikey fails to operate properly.

Before connecting, you may want to go back to the General tab and click the Save or Save As … buttons to save this configuration as an RDP file. RDP files are saved in your Documents directory. The Default.rdp file is used for all initial connections, but you can save a specific customized configuration with a name if you don’t want to change the Default behavior. I don’t see a problem with making this the default.

Remote Computer or VM

On the remote computer or VM, from which you will be logging into Teams, Outlook, OneDrive or some other service that requires 2FA, after getting to Remote Desktop Services you choose

Remote Desktop Session Host
Device and Resource Redirection
Now double click on “Do not allow supported Plug and Play device redirection”. This policy will also initially not be set, but the default if it is not set is to prohibit redirection, so the setting is backward. In order to Enable redirection, you have to Disable this policy. Change “Not Configured” to “Disabled”.

You have to repeat this on every remote computer and every Hyper-V VM that requires redirected WebAuthn.

Sanity Check - Although this is described as a “device redirection”, and you can actually redirect devices (like a WebCam, if for some reason you wanted to), what we are really doing here is tunnelling between machines the connection between the Browser and the Authenticator (Security Key or Passkey). While it is true that the Yubikey is also a USB device, a Phone doing Passkey authentication is connected by BlueTooth and cannot be redirected as a device. Microsoft has chosen not to create a separate Group Policy and RDC checkbox for USB device sharing and tunnelling the program to program communication from the Browser to the Authenticator-selection dialog of Windows. Both are included in “Plug and Play device redirection” option even though program to program protocol tunneling is not really a device redirection.

Use

Use Remote Desktop Connection with the redirected WebAuthn share to connect to the remote computer or VM. On the remote computer begin the login to the service that requires the Security Key or Passkey authentication. The security key or passkey selection dialog will pop up on your local computer screen, not on the remote screen. Therefore, it would probably be confusing if you tried to do this with the Remote Desktop in Fullscreen mode, because you need access to both the remote and local desktops to complete the login.

Yale ITS PROD AD Group Policy configuration

The good news is that it appears to be possible for an administrator to set the policy on Windows Servers in the machine room and Spinups.

The bad news is that Endpoint Engineering pushes out from AD a setting that blocks even machine admins from running the Group Policy Editor on Managed Workstations. If we are going to deploy More Secure Yale we Endpoint Engineering to make the Client change to Group Policy and push it out from AD to at least Managed Workstation in the MSY group, but I think that pushing it out to everyone should not be particularly controversial.

Client Must Be mstsc.exe (Remote Desktop Connection)

The WebAuthn redirect support is not available in the Remote Desktop program you get from Microsoft Windows Store, or in the similar Virtual Machine Connection program that you can use from Hyper-V Manager to connect to a running VM.

The only program that supports the protocol today is C:\Windows\System32\mstsc.exe (Remote Desktop Connection), which means that a Hyper-V VM has to have a virtual network connection between it and the Host computer.