I can not connect with U2f (fido) Yubikey on remote desktop

[Nicolas Delamotte]

I successfully register my U2f key on the webadm console. However, when I try to use it against the remote connexion, The key is not detected.

Could you help me to make this works?

Thank you for your help

Nicolas DELAMOTTE

[Spyridon Gouliarmis (RCDevs)]

Are you using NLA?

[Yoann Traut (RCDevs)]

Hello, 

If you using NLA, you must install the OTP credential provider on your client and your server. 

But in fact, trying to reproduce your problem, we found a bug. 

We report the bug to our development team. 

I come back to you when problem is solved. 

Thanks 

Best Regards 

[François Lemaire]

Hello,

is this bug solved? Because I'm having the same problem with version 1.1.6 of the OTP credential provider. U2F works locally but not with remote desktop.

Best regards,

François Lemaire

[francois...@rcdevs.com]

Hi,

Are you able to connect remotely if you set the login mode to LDAP in webadm ? 

[François Lemaire]

Hi,

remotely, LDAPOTP works, LDAPU2F doesn't. Strangely, LDAPMFA doesn't work either, I get the same error message as with LDAPU2F.

Best regards,

François Lemaire

[francois...@rcdevs.com]

Which are the OS of both machines.

Are they VM ? 

[François Lemaire]

The machine being accessed is a Windows 8.1 professional; I have tried accessing it from a Windows Server 2008 R2 (my main domain controller), a Windows 10 professional and a debian stretch box using vinagre 3.22. I don't know if it's relevant but WebAdm is installed on another debian stretch box.

Best regards,

François Lemaire

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/ynew_R-ahHc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at https://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

[François Lemaire]

I forgot: none are VM.

[francois...@rcdevs.com]

Could you also send a print screen?

The previous error was in an olde version.

[François Lemaire]

Here is a screenshot of what appears after the login / password has been successfully checked.

Best regards,

François Lemaire

--

[Ibrahim MESLEM (RCDevs)]

Hello,

I'am not sure that you can do it in this way.

Bellow you find a response from a Yubico forum about this issue

Over RDP, you can:
*Use Yubico OTP, OATH-HOTP, Static Password, Yubico Authenticator (credentials stored on the OATH applet of the NEO / YK4), and PIV

Over RDP, you cannot:
*Use Challenge-Response, OpenPGP, U2F, Yubico Authenticator (credentials stored in Slot 1 or Slot 2), or program YubiKeys using the Personalization Tool

So the alternative way is to use the U2F as an OTP.

Best regards.

[François Lemaire]

Hello,

I don't understand your message: from what I gather from this thread, it should work but there is a bug in OpenOTP (message sent 13/04/2016), and U2F is different from OTP, I don't understand what it means to use U2F as an OTP.

Regards,

François Lemaire

[Laurent A.]

Hello, I know that the problem you mentioned dates from 2 years ago, but did you have a solution to this problem?

Le mercredi 30 août 2017 16:30:49 UTC + 2, François Lemaire a écrit:

Bonjour,

Je ne comprends pas votre message: d'après ce que je comprends de ce fil, cela devrait fonctionner mais il y a un bug dans OpenOTP (message envoyé le 13/04/2016), et U2F est différent d'OTP, je ne comprends pas ce qu'il signifie utiliser U2F comme OTP.

Cordialement,

François Lemaire

Le vendredi 25 août 2017 11:18:28 UTC + 2, Ibrahim MESLEM (RCDevs) a écrit:

Bonjour,

Je ne suis pas sûr que vous puissiez le faire de cette façon.

Ci-dessous, vous trouverez une réponse d'un forum Yubico sur ce problème

Sur RDP, vous pouvez:
* Utiliser Yubico OTP, OATH-HOTP, Mot de passe statique, Yubico Authenticator (informations d'identification stockées sur l'applet OATH du NEO / YK4) et PIV

Over RDP, vous ne pouvez pas:
* Utiliser Challenge-Response, OpenPGP, U2F, Yubico Authenticator (informations d'identification stockées dans l'emplacement 1 ou l'emplacement 2) ou programmez des YubiKeys à l'aide de l'outil de personnalisation

Donc, l'alternative est d'utiliser l'U2F comme OTP.

Meilleures salutations.

[Support]

Hi,

U2F and FIDO2 require a communication between the authentication server (OpenOTP) and the U2F/FIDO2 key. Unfortunately the RDP client and server do not support this communication so it cannot work.

If you have a RDP solution which can map the USB device to the remote machine, then it could work.

https://techcommunity.microsoft.com/t5/enterprise-mobility-security/introducing-microsoft-remotefx-usb-redirection-part-1/ba-p/247035

[Laurent A.]

Thanks for the information, I have already tried RemoteFX but despite everything it does not work.

[Support]

Hi,

we will have a look to see if there is something we can do to enable RemoteFX, but it could be the device type is not supported or that it does not allow connecting the remote device before the sessions is authenticated.

If you authenticate with some other method and connect the key with RemoteFX, can you see the device on the RDP server device manager?

[Laurent A.]

I just did a test just now, no the device is not visible on the RDP server.

On my local computer it is located under the HID-Compliant FIDO user interface device

[Laurent A.]

I spoke too quickly

The device goes up well, but despite everything the key does not flash

[Laurent A.]

Hello, ok Thank you very much

[Support]

Hi,

I tested quickly and the RDP connection will not map the Yubikey to the destination server.

Seems this has been also answered by Yubico:

https://forum.yubico.com/viewtopic9d21.html?p=8450