Check the appropriate device and it will be available to you on the remote machine to authenticate with. You should now see “Other supported RemoteFX USB devices” with a list of devices. Go to the “Local Resources” tab of the RDP client settings and click “More…” under “Local devices and resources”. Once we’ve done all of the setup the only thing left to do is to start a remote desktop session with device redirection enabled. We’ll need to set the policy to “Disabled” and then reboot the computer. The naming of this policy is very confusing since it is enabled by default if left unconfigured.
The policy we’re looking for is called “Do not allow supported Plug and Play device redirection” and is located here in the tree:
#MULTIPLE RDP REDIRECTION DEVICES UPDATE#
Similarly to the client computer we will need to update a Group Policy on the server as well. Setting up the Remote Machine Updating the Remote Group Policy You can find the HID device by switching to “Devices by connection” in the “View” menu and looking for the other entires under the same “USB Composite Device”.Īfter making these changes I recommend rebooting the client computer, although it may not be strictly necessary. The easiest way to find the YubiKey is to look under “Smart card readers”. To find the ID for other models of Yubikey (or any other device for that matter) look at the “Class Guid” property of the top level device in Device Manger. You can use the following registry file to automatically add the required entries. I pulled these device IDs from a Yubikey 4 so your mileage may vary using other models.
#MULTIPLE RDP REDIRECTION DEVICES WINDOWS#
By default Windows will not list the Yubikey as a device that can be redirected so we need to add it’s USB device ID to the list. We’ll also need to make some changes to the registry. We can set it to either “Administrators and Users” or “Administrators Only” depending on the use-case. The policy we’re looking for is called “Allow RDP redirection of other supported RemoteFX USB devices from this computer” and is located here in the tree:
You can do this via the “Local Group Policy” MMC or if you are domain-joined you can push out the setting with a domain Group Policy Object. The first thing we’ll need to do on our client computer (the one where the Yubikey physically resides) is make some changes to Group Policy. I’ll keep playing around with it but if you manage to get it working let me know! Setting up the Client Machine Updating the Local Group Policy The device itself does redirect but the U2F functionality just times out in every browser I’ve tried.
It looks like a recent update or some change in browser behavior has caused U2F to no longer function properly over RemoteFX redirection. You can use the native RDP smartcard redirection to use PIV and GPG functionality without doing any extra work. It’s worth noting that this guide only applies to OTP/U2F functionality. Two factor authentication is great, but what about when you primarily do your work on a virtual desktop or need to sign in to a U2F application remotely? Luckily we can use RemoteFX USB device redirection to solve this problem and successfully authenticate using our local Yubikey on the remote machine.
0 kommentar(er)
