Hi everyone! I'm currently working with a Windows Server 2022 that's part of an Azure Virtual Desktop Host Pool. I'm using this server as a jumphost to reach other VMs in my network. One of the requirements is that I need to use a YubiKey for MFA. My YubiKey is set up as a FIDO2 device, and I'm able to log into my Azure account with it without any issues. However, when I RDP into my VM using the Azure Virtual Desktop Preview app and then try to connect to another VM within my network, I get stuck at the Entra login page. After entering my password, it prompts me for the security key, and although I touch my YubiKey, it keeps asking for it and doesn't seem to recognize it. I did test the YubiKey in Notepad and it types out characters fine, so USB passthrough seems to be working. Does anyone have experience with this or know how to solve this issue? Microsoft support hasn't been much help, so I'm hoping for some insights!
3 Answers
That’s a pretty interesting scenario! Technically, for the second VM to request the YubiKey, it must be able to directly interact with it without any barriers. Is the prompt showing in a browser or some app on the second VM? I'm surprised this hasn't been exploited more, given how you're mimicking a keyboard just by touching it!
It sounds like you need to enable WebAuthN on your host pool. That's the feature that helps to pass the FIDO authentication from your RDP session to the YubiKey. Check out this video for a step-by-step guide on how to set it up! 🙌 https://www.youtube.com/watch?v=_PrgdDH1oB4&t=308s
I get your frustration with Microsoft support! Are they unclear about whether this setup is even supported? I think it's essential to clarify if they understand your scenario and the end goal you're trying to achieve. Sometimes communication breakdowns happen!
Yeah, it seems they don't fully grasp my situation. They mentioned that USB passthrough doesn't work with Bastion, but I can still use my YubiKey for typing characters when I'm RDP'd into the VM.