Open agl opened 3 years ago
MasterKale
commented
3 years ago This'll be an interesting issue to solve. I can't imagine a browser running in a VM is going to have any insight into the fact that USB passthrough is being used to expose a roaming authenticator (plugged into the client running remote desktop) to it for it to report that back within clientDataJSON...
agl
commented
3 years ago The rough design that we have in mind would avoid those issues, although we're only flagging it for the charter for now.
serianox
commented
3 years ago I think that this is already working out of the box on Windows 10 for NFC authenticators (see https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services).
kzu
commented
2 years ago Definitely not working with Okta/webauthn via Remote Desktop (never even get the prompt, have both USB yubikey + windows hello configured for the account):
serianox
commented
2 years ago Tested, and working out of the box with remote desktop in NFC. In HID, required to configure forwarding of the USB device first. Both local and remote station were running Windows 10.
In case the remote desktop protocol doesn't forward PCSC, I suppose that forwarding the CCID is enough to get NFC working, in the same fashion as forwarding USB for HID.
seism0saurus
commented
2 years ago Hi @serianox, Could you explain how you did it with USB HID? I use RDP and tried redirection of the FIDO token device with RemoteFX, Donglify and USB over Ethernet. All three make the token visible in the device manager and I can access it in the Windows security token configuration. But every website gives me the same error as kzu showed.
Tested, and working out of the box with remote desktop in NFC. In HID, required to configure forwarding of the USB device first. Both local and remote station were running Windows 10.
In case the remote desktop protocol doesn't forward PCSC, I suppose that forwarding the CCID is enough to get NFC working, in the same fashion as forwarding USB for HID.
serianox
commented
2 years ago @seism0saurus The remote desktop application probably needs to be launched in administrator, because it is accessing the FIDO device directly, and not through Windows' webauthn.h.
seism0saurus
commented
2 years ago @serianox that did not help. Which RDP tool are you using? It does not look like the built in RDP tool from windows.
victorhooi
commented
2 years ago @serianox I'd love to know your setup for RDP with USB HID if possible please? =)
What RDP client did you use, and did you have to do anything on the server/client to enable this?
serianox
commented
2 years ago It was done with VMware Horizon, with the following setup:
charlespick
commented
1 year ago Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I try to authenticate, it says press the button on my key and when I do, it fails to authenticate. I was expecting it to either work or not do anything. How is it able to detect that I am connected remotely or why else is it failing?
Firstyear
commented
1 year ago Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I try to authenticate, it says press the button on my key and when I do, it fails to authenticate. I was expecting it to either work or not do anything. How is it able to detect that I am connected remotely or why else is it failing?
I don't think this is a question for the webauthn wg since this is about spec design. For windows RDP specific details, you need to query microsoft and their docs. Specifically you should look at: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/68f2df2e-7c40-4a93-9bb0-517e4283a991
charlespick
commented
1 year ago Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I try to authenticate, it says press the button on my key and when I do, it fails to authenticate. I was expecting it to either work or not do anything. How is it able to detect that I am connected remotely or why else is it failing?
I don't think this is a question for the webauthn wg since this is about spec design. For windows RDP specific details, you need to query microsoft and their docs. Specifically you should look at: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpewa/68f2df2e-7c40-4a93-9bb0-517e4283a991
interesting that there is custom support for webauthn in rdp. I thought it was just usb tunneling. Thanks
kzu
commented
1 year ago At some point, this just started working fine for me.
Initially filing this as a placeholder for the level three charter:
As WebAuthn becomes more common (yay!) the need to support remote desktop products becomes more salient. This is delicate because a remote desktop violates the proximity assurances of WebAuthn, but we'll struggle to save the world from passwords if we don't support them.
Thus in level three we may wish to consider things like additional CollectedClientData fields for this and I wouldn't want charter questions to exclude that.