Tag: Windows 365

Combining YubiKey FIDO2 strong pre-session and PIV in-session authentication for Azure Virtual Desktop and Windows 365

by Fredrik Brattstig @virtualbrat

8 July 2025 – While IGEL is waiting for Microsoft to add WebAuthN Redirection functionality to the RDClientSDK, which IGEL uses as a foundation for the IGEL Azure Virtual Desktop and Windows 365 Apps, here is a nice workaround, or maybe this use case actually attracts you as a primary function?

YubiKey security keys can be used for FIDO2 authentication, and they also contain certificate slots. You can of course put certificates and use the YubiKey as pre- and in-session authentication, though, you might want to use FIDO2 for the main authentication, which in turn, as IGEL is using RDSAADAUTH will provide single sign on to OAuth resources, like the Microsoft Office 365 etc.

Eventually you want to use certificate-based authentication in-session, ex. for signing documents etc. As YubiKey is a key that can do both, you do not need to give users a YubiKey and a smartcard – the YubiKey is enough!

The IGEL configuration is pretty straight forward. You need IGEL AVD 1.3.2 App or later, and you need to enable the smart card virtual channel, to redirect the smart card calls to the IGEL OS endpoint.
IN IGEL OS config, you will need to enable:
app.avd.sessions.avd(session numer).options.enable-smartcard
and that’s it!

To make it even easier for the user, IGEL have the possibility to read out the UPN of a certificate, we can use the UPN and prespecify the username for the IGEL AVD client, like I did in the video below. Here is how that is done.
In IGEL Setup, navigate to System->registry->scard->scwatchd->enable and check it, then navigate to System->registry->scard->scwatchd->insert_action and add the following:
export avduser=$(pkcs11getloginname | grep “^Login:” | sed -e “s/^Login://”); su –session-command /config/sessions/avd/avd0 user
And finally, we need to use the avduser variable, like we just set in the previous command when inserting the YubiKey to automatically inject the username in the IGEL AVD Client – set the option app.avd.sessions.avd0.options.cmd_ext to -u $avduser

From now on, when a user inserts a YubiKey that is enrolled for FIDO2 authentication and have a PIV certificate to session roam, allow the user to make a simple, though secure FIDO2 authentication, enjoy OAuth Single Sign-On in session and have PIV certificates enabled in session!

Smart and easy when you know how!

Thats it for today, enjoy!
/Fred