I'm currently managing secondary admin accounts with phishing resistant MFA policies and am facing issues with YubiKeys when accessing Azure VMs through RDP. Specifically, I'm unable to pass my YubiKey 5 to the VM, as it keeps saying there are no valid certificates on the smart card. Each month, I need to perform tasks in a VM, like installing an Entra Private Access Connector, that require disabling phishing resistant MFA temporarily, which is quite inconvenient, as the process takes a while. I'm looking for recommendations or solutions to effectively use my YubiKeys under these conditions. What am I missing here?
3 Answers
Regarding the error about no valid certificates, you need to ensure a certificate is generated and stored on both the VM and the YubiKey. You can do this using the YubiKey Manager software. Once you have the cert on the VM, you should be set!
Are you using Server 2022 or higher? If you’re coming from a Windows device, it’s worth pairing FIDO2 with PIV since there are compatibility issues with older servers or if you're connecting from a Mac. You might also want to consider using a temporary access pass (TAP), although it’s not phishing resistant, it could work for your needs occasionally.
There are some third-party programs that allow you to share a USB key with a remote computer, but these often require additional installations on both machines and tend to run outside of RDP. RDP does support smart cards if enabled, and I suggest checking out VirtualHere USB Client or FlexiHub. They allow USB over IP, which might solve your issue.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures