As a user who logs in with FIDO tunneled over RDP, I want to be dynamically alerted to the fact that AuthenticatorChooser must be installed on the RDP client (not server) computer where it can access the FIDO dialog, so that it doesn't look like this program ignored the dialog because this tunneling is very unintuitive and unexpected.
This program could detect this case by listening for WebAuthN Remote RPC Request events in the Event Log. It could also check if the current user session is over RDP using SystemParameters.IsRemoteSession. Check if the event is for the current user too, which handles the multi concurrent user terminal services scenario.
| Key |
Value |
| Log Name |
Microsoft-Windows-WebAuthN/Operational (enabled by default) |
| Source |
WebAuthN |
| Event ID |
1050 |
| User |
domain\name, or maybe SID, of user running AuthenticatorChooser |
| Level |
Informational |
| Category |
WebAuthN Remote RPC Request |
Event Log export
Since this event would keep occurring even when correctly configured, the user will need a way to acknowledge and suppress this warning in the future, such as a Don't Remind Me Again checkbox in the warning dialog. This means the dialog UI must be custom. Might want DarkNet too.
Maybe the dialog can also offer a button to copy the repo download page URL, which would usually be clipboard tunneled to the RDP client where the user can open it in a browser. Maybe WM_DESTROYCLIPBOARD can be used to tell when the clipboard no longer contains the string we copied, so we can change the button state.
Ideally, the dialog box would initially not be positioned in the center of the screen like most dialog boxes, because that's where the client's FIDO dialog would already be on top of it, so it would occlude the warning dialog box and users wouldn't be able to see it.
Markdown Mockup™
As a user who logs in with FIDO tunneled over RDP, I want to be dynamically alerted to the fact that AuthenticatorChooser must be installed on the RDP client (not server) computer where it can access the FIDO dialog, so that it doesn't look like this program ignored the dialog because this tunneling is very unintuitive and unexpected.
This program could detect this case by listening for
WebAuthN Remote RPC Requestevents in the Event Log. It could also check if the current user session is over RDP usingSystemParameters.IsRemoteSession. Check if the event is for the current user too, which handles the multi concurrent user terminal services scenario.Microsoft-Windows-WebAuthN/Operational(enabled by default)WebAuthN1050Event Log export
Since this event would keep occurring even when correctly configured, the user will need a way to acknowledge and suppress this warning in the future, such as a Don't Remind Me Again checkbox in the warning dialog. This means the dialog UI must be custom. Might want DarkNet too.
Maybe the dialog can also offer a button to copy the repo download page URL, which would usually be clipboard tunneled to the RDP client where the user can open it in a browser. Maybe
WM_DESTROYCLIPBOARDcan be used to tell when the clipboard no longer contains the string we copied, so we can change the button state.Ideally, the dialog box would initially not be positioned in the center of the screen like most dialog boxes, because that's where the client's FIDO dialog would already be on top of it, so it would occlude the warning dialog box and users wouldn't be able to see it.
Markdown Mockup™
To automatically choose the USB security key option,
AuthenticatorChooser must be installed on the RDP client.