Configuring WebAuthn Redirection - Amazon DCV

Configuring WebAuthn Redirection

Beginning with Amazon DCV Server 2023.1, users can authenticate web applications that use the Web Authentication (WebAuthn) standard in supported browsers within remote sessions. This is done by redirecting the authentication prompts to locally connected FIDO2 authenticators, such as Windows Hello or YubiKey, or any other FIDO2 compliant authenticator.

WebAuthn redirection operates independently of USB redirection. There is no requirement to install any vendor-specific drivers on the Amazon DCV server. Redirection of WebAuthn requests is facilitated through the native API of the browser.

Before using WebAuthn, double check the Supported Features table to make sure you meet all of the requirements.

Supported browsers:

  • Google Chrome 116 or later

  • Microsoft Edge 116 or later

WebAuthn redirection can be enabled or disabled using the webauthn-redirection permission. For more information, see Working with permissions files.

WebAuthn redirection requires a browser extension to be installed on the remote server. When the feature is enabled and the browser extension is installed, any WebAuthn requests initiated by the web applications running in the browser within the session are seamlessly redirected to the local client. Users can then use utilize devices like Windows Hello or YubiKey to finalize the authentication.

Note

While this feature allows WebAuthn within a browser during a remote session, it does not support DCV session authentication using WebAuthn authenticators.

Setting Up the WebAuthn Redirection Browser Extension

Automatic Prompt on First Browser Launch

After installing the Amazon DCV Server 2023.1 with WebAuthn redirection enabled, users will be prompted to enable the browser extension when they first launch their browser. If they choose not to install the extension or uninstall it later, WebAuthn redirection will not work. An administrator can enforce installation using the Group Policy.

Installing Using the Group Policy

For organizations looking to deploy the extension on a broader scale, you can utilize the Group Policy.

Using Microsoft Edge:
  1. Download and install the Microsoft Edge administrative template.

  2. Launch the Group Policy Management tool (gpmc.msc).

  3. Navigate through: Forest > Domains > Your FQDN (e.g., example.com) > Group Policy Objects.

  4. Select desired policy or create a new one then right-click on it and select "Edit".

  5. Follow this path: Computer Configuration > Administrative Templates > Microsoft Edge > Extensions.

  6. Access "Configure extension management settings", set it to "Enabled".

  7. In the field for Configure extension management settings, enter the following:

    {"ihejeaahjpbegmaaegiikmlphghlfmeh":{"installation_mode":"force_installed","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"}}
  8. Save the changes and reboot the server.

Using Google Chrome:
  1. Obtain and implement the Google Chrome administrative template

  2. Similar to the steps for Microsoft Edge, navigate through the Group Policy Management tool.

  3. Proceed to: Computer Configuration > Administrative Templates > Google Chrome > Extensions.

  4. Access "Configure extension management settings", set it to "Enabled".

  5. In the field for Configure extension management settings, enter the following:

    {"mmiioagbgnbojdbcjoddlefhmcocfpmn":{ "installation_mode":"force_installed","update_url":"https://clients2.google.com/service/update2/crx"}}
  6. Save the changes and reboot the server.

Installing Manually

Extensions can be sourced from the respective browser stores:

For manual installation:

  1. Connect to your Amazon DCV session.

  2. Open your preferred browser, and navigate to the relevant browser store (links above).

  3. Proceed by selecting "Get" (Microsoft Edge) or "Add to Chrome" (Google Chrome).

  4. Follow the on-screen instructions. A confirmation will appear once the extension is successfully added.

Using WebAuthn redirection in Incognito mode (Chrome only)

When using Incognito mode, the Amazon DCV WebAuthn Redirection Extension needs to be specifically allowed to run within it, otherwise WebAuthn Redirection will not occur. To do this:

  1. Open the extension settings.

  2. Find Allow in Incognito in the details.

  3. Toggle the switch to On.