FIDO2 Security Key no longer working over Microsoft RDP (Windows Security prompt is missing/Windows Hello) #6808
Comments
|
Probably related to issue #6824 |
This is different. The issue you linked, the user is able to click "use browser" and then it works. Here -- the use browser option still does not provide the Windows Security/Windows Hello prompt to choose an auth method, instead -- it prompts the integrated browser version to use security key, which does not work over Microsoft RDP as that process relies on Windows Hello/Windows Security prompt. |
|
Adding an update since I have to login to this service once every day or so -- Today I confirmed I was on the new latest version of the extension 2023.10.2 and have the URL excluded. Confirm it is no longer prompting the empty/use browser bitwarden window so it seems the exclusion is working but instead of allowing the Windows Security prompt to display, it displays the built in Edge/Browser security key flow (dropdown from top center of screen). This flow is not compatible with RDP, so something is still causing the Windows Security prompt to be blocked, but disabling bitwarden all the together immediately resolves the issue. Using FIDO2 over RDP via Windows Security/Hello I assume is not a very common auth flow so I am happy to help troubleshoot or test this in any way to help resolve this. |
|
Thank very much for getting back to us with an update! I'm not sure about how common this flow is but we'll gladly accept the help none the less! We have tried to replicate your issue but were unable to get FIDO2 over RDP working even without the extension installed. Would you be able to tell us a bit more about your setup? Are you running the same version of windows on both devices? I'm also a bit surprised that the domain exclusion doesn't work, it's implemented in such a way that it completely disables the FIDO2 functionality leaving the page completely untouched, so there shouldn't be anything interfering with your flow. The thing is that the 2023.10.2 update also contained a change where the extension now automatically hands over the FIDO2 request to the browser if no matching passkey for that specific site was found in your vault. I'm wondering if maybe the reason that you are no longer seeing the Bitwarden popup is because of this change, and that the exclusion is not actually taking effect. Could you double check the exclusion entry? Did you enter the full domain, including subdomains? Again, thank so much for your help troubleshooting! We very much appreciate it! |
|
Hi Coroiu -- Unfortunately I can't know for sure what pieces of my configuration are required for FIDO2 to work over RDP. I connect from an Azure joined Laptop, to an Azure Joined desktop (same organization). I have the FIDO2 key registered with my AzureAD identity as an auth method, and I believe I set up the pin for the key with Windows (but I don't believe this is specifically linked to Windows Hello, or the specific device as I use that same pin when accessing things on my debian machine. I have not successfully been able to get FIDO2 to work over RDP with any client other than official Microsoft RDP When I connect over RDP, instead of using a password I use my laptop's Windows Hello pin (the computer I connect to has a different pin). I am not totally sure how much Windows Hello has to do with this but I assumed me being able complete the initial RDP connection with just a pin could be related to Windows Hello. Windows Hello is setup on both machines, but different pin. To summarize this -- I have never been able to use the built in browser security key flow when connected over RDP, if I don't get the Windows Security prompt, it will not work and instead just prompt me to insert the key which is already inserted. Hope this helps. Edit: These are both Windows 11 Pro machines. I confirmed the exclusion is working because the bitwarden popup does display if I remove the exclusion, but if I re-add it I don't get the bitwarden pop up. |
|
Edit: These are both Windows 11 Pro machines. I confirmed the exclusion is working because the bitwarden popup does display if I remove the exclusion, but if I re-add it I don't get the bitwarden pop up. Edit02: I am no longer getting the bitwarden popup/prompt regardless if I have the exclusion added or not now --- this is good and I think if I understand right, the expected behavior now? I also removed the login entry from my vault that had the domain as a URI. I tested on another machine(VM this time) I used to connect frequently to in the past and am getting the same results. No longer a Bitwarden popup, but still no windows security prompt, it just defaults to the built in Edge/browser flow |
|
Yes that is the expected behavior, this is very helpful, thank you! Just want to confirm a few final things:
|
|
Update: I think we may be good to go now. I added login.microsoftonline.com into the exclusion list, in addition to removing the regular login entry I had for the main URI. Rebooted machine/browser, reconnected over RDP. Now it is going straight to the Windows Security prompt with no bitwarden popup. I also exempted vault.bitwarden.com and that seems to be working as well with the windows security flow. Thanks so much for the help with this. It seems the .2 update is working with my setup now. |
|
Ok, then at least we know that the domain exclusion is working properly! We will still have to look into the RDP issue, but at least we have a temporary workaround for now. I'll try to get back to you as soon as we know more 🙂 |
Yup! FIDO2 in general over RDP can be picky at times, so I was doing my best to remove all the other variables. Restarting browser after each change/update/test, etc. I may do some additional testing tomorrow to see if adding the microsoft URL is what resolved it or not. I will go ahead and close this one out. Thanks again! |
Steps To Reproduce
Expected Result
After connecting with Microsoft RDP client, opening web browser, and connecting to a web app portal that requires FIDO2, A Windows Security prompt should display on the screen, and ask me to choose how I want to sign in (with passkey, with iPhone, iPad, or Android Device, or with Security Key). I typically choose security key, enter my windows hello pin number(Edit: my FIDO2 pin number), then touch my FIDO2 key to complete authentication. This is the normal flow that no longer works. -- the windows security/Windows hello prompt does NOT display after choosing "use browser"
Actual Result
When completing the steps above, and after choosing "Use Browser" in the Bitwarden passkey popup, the Windows Security prompt does not display. When bitwarden intercepts the passkey request/auth request away from Windows Security/Windows Hello, it breaks the ability to authenticate with FIDO2 security key over Microsoft RDP
Screenshots or Videos
Additional Context
Please allow me to disable the Bitwarden passkey prompt. I really need to have full compatibility with Windows Hello/Windows Security prompt as its the only official/supported way to authenticate with FIDO2 over RDP. Please kindly let me know if you have any questions or if I can help in any way.
Operating System
Windows
Operating System Version
Windows 11 23H2 22631.2428
Web Browser
Microsoft Edge
Browser Version
118.0.2088.76
Build Version
Official Build 118.0.2088.76
Issue Tracking Info
The text was updated successfully, but these errors were encountered: