Hello Community,
I installed smartcard redirection with the Horizon Agent but my Horizon Client doesn't recognizes my Yubikey 5C NFC as USB-device.
So I'am unable to redirect the Yubikey. Can someome tell me what I do wrong?
However, unlike Horizon Client, my VMware Workstation recognizes the Yubikey as USB-device (see screenshots).
Hi Tom,
Can you please elaborate on how you are wishing to use your Yubikey in your session? Because there are different ways of using it (e.g. for FIDO and WebAuthn) or as an actual smartcard with a certificate on it.
If you are looking at the smart card part please also review this KB article:
Smartcard Authentication with Yubikey does not work when connecting to a Horizon View Agent Desktop ...
thank you for that link. I will give it a try tomorrow. The mini driver is already installed but I will do this again with the workstation.
My goal is to use Yubikey for M365 2FA (FIDO).
I tried opening the VM in Worstation and yes it worked, when directly redirecting the Yubikey. It was perfectly visible with it's drivers.
But my major problem is still, that my VMware Horizon Client doesn't recognizes the Yubikey. If this problem is not solved I will never see the Yubikey inside the connected session.
Any ideas for that?
Today I was at the office where we also have a Horizon Environment but I was able to see my YubiKey and was able to pass it on too:
For me this all worked out of the box. Which versions of the client and Horizon are you using? So your wish should definitely be possible.
Our farm is currently running Horizon 8.8 (2212) and I am using the 2303 / 8.9.0 (21444108) Client on Windows 11.
Please do note that I first actually have to start a session before I was able to pass-on the YubiKey
Our farm is on the latest version - 8.10 (2306), clients too.
It is so weird that I don’t have any little idea. There is no restriction, nothing!
Yes I know that I need to start a desktop before I'am able to redirect a device.
Based on the reply from @ofox I dug up the release notes for the latest release.
They state this for the Agent configuration:
This release has added the FIDO2 Redirection feature for Windows Client and Agent, which enables users to take advantage of local endpoint FIDO2 components in the remote desktop or remote application. New GPO settings for this feature are Allow FIDO2 Authenticator Access which determines whether applications in remote desktops can access the endpoint's FIDO2 authenticators and FIDO2 Allow List which allows you to specify applications that can access endpoint's FIDO2 authenticators
I am not sure what the default setting for this would be but I can imagine that this may default to off in it's unset state. Can you check your ADMX and see what it says? Perhaps having it configured will (in your case) re-enable the use of the YubiKey. As I already showed; on older versions this already works without any problems (probably because it is just seen as another USB device).
Edit:
I found the settings in the documentation:
Very late reply from me but I had to deal with other issues first ...
I have read about the FIDO2 Redirection and I did a configuration for it (with DEM Computer policy).
It works with all browsers (Edge, Chrome, Firefox - the defaults in the policy) but it doesn't work with all the O365 Apps although I addded them to the FIDO2 Allow List (chrome.exe;firefox.exe;msedge.exe;outlook.exe;winword.exe;excel.exe;visio.exe;powerpnt.exe;onenote.exe;OneDrive.exe;teams.exe)
Has anyone tried this with the O365 Apps?