Skip to main content

Issue and Background

A customer has been in transition to phishing-resistant MFA for their Entra ID IdP, selecting the Yubikey 5 series keys and their FIDO2 support for this purpose. The customer’s offshore vendor was able to authenticate successfully via Entra ID with FIDO2 to the Citrix Gateway on their Windows 10 IoT-based thin clients but was unsuccessful in passing through FIDO2 for authentication to apps and sites within the Citrix session. This behaviour was in contrast to the same vendor having no such issues on regular Windows 10 endpoints, nor the customer’s own experiences where passthrough worked without issues.

Clientside Details

  • Windows 10 IoT LTSC 2019 (corresponding to build 1809)
  • HP thin client model mt22
  • Yubikey 5 devices
  • Citrix Workspace App 2203 LTSR of various CU levels
  • No client-side GPO, registry, or INI configs restricting USB or FIDO2 devices

Serverside Details

  • Windows 10 22H2
  • Citrix VDA software 2203 LTSR CU3
  • FIDO2 Authentication virtual channel allowed (default policy setting)
  • Chrome 64-bit browser

As mentioned, the non-thin client devices just worked out of the box with FIDO2 passthrough functioning as expected and without USB redirection. At the time of this writing, the clientside and serverside minimum requirements were met for FIDO2 authentication passthrough to function successfully as documented by Citrix here, including the minimum client OS version of Windows 10 1809.

Root Cause and Resolution

The root cause lies in the clientside OS version. Despite at time of this writing, the Citrix documentation indicating 1809 is required for the FIDO2 virtual channel to function, this does not appear to be the case. In lab testing, it was determined that Windows 10 LTSC 2019 (1809) did not provide FID2 passthrough to Citrix via the virtual channel. However, upon upgrading from Windows 10 LTSC 2019 to Windows 10 LTSC 2021 (corresponding to build 21H2), and with all other clientside and serverside parameters remaining the same, it worked as expected. Jason Samuel, Citrix product Manager, has indicated in his incredibly detailed deep dive into the FIDO2 redirection virtual channel that in his testing, Windows 10 1909 was the minimum requirement. The cause of the discrepancy in the Citrix documentation is unknown at present moment.

To resolve the matter, the vendor and customer had two choices:

  1. Upgrade to a later version of Windows 10 IoT such as moving from LTSC 2019 to 2021 on their fleet of thin clients
  2. Implement legacy FIDO2 passthrough by way of USB device redirection into Citrix

Jason Samuel also provides a writeup on accomplishing #2 with FIDO2 security keys, easily the most detailed writeup on the subject on the Internet, which you can read here.

To summarize the requirement for Yubikey 5 FIDO2 passthrough using the pre-FIDO2 virtual channel:

  • Yubikey Manager must be used to disable all USB protocol interfaces other than FIDO. Something any user with a computer can do, but requires manual intervention (unless using the FIDO2-only Yubikeys which are less expensive and do not contain the other popular interfaces such as PIV/Smart Card and OTP)
  • Client USB Redirection enabled on serverside Citrix policies and “Client USB device redirection rules” set to allow the specific Yubikey FIDO2 interface VID through for USB redirection, specifically the following below:
    • Allow: VID=1050 PID=0402 # YubiKey 5c series with FIDO2 enabled
  • Users redirect the Yubikey into their Citrix session via the Desktop Viewer interface

Below is an example of the required Yubikey configuration:

yubikey manager configuration for USB passthrough in Citrix

Jason’s article goes into great detail on the rationale for disabling these interfaces, and you are encouraged to review it, but in short, aspects of the Yubikeys conflict with various redirection virtual channels in Citrix from Smart Cards (PIV) to keyboards (OTP). Yubikey’s PID/VID list can be found here, but in the case of the Yubikey 5 keys, setting only FIDO interfaces to be enabled will result in a PID parameter of 0402 which is what will be presented to Citrix (and thus match the policy that controls USB redirection). If your use case requires Smart Cards or OTP, please read Jason’s article for further insights.

While the legacy method of FIDO2 authentication in Citrix via USB redirection worked for Windows 10 1809, it isn’t really ideal. Clientside OS upgrade would be the preferred approach.

Conclusion

In summary, despite the documentation at the time of this writing indicating Windows 10 1809 provided support or the FIDO2 virtual channel in Citrix, it does not per our testing. If this affects your environment as you roll out Yubikeys for FIDO2 authentication, you will either need to upgrade the clientside OS or implement the older method of FIDO2 passthrough.

  • Michael Shuster
    Michael Shuster

    Michael is Ferroque's founder and a noted Citrix authority, overseeing operations and service delivery while keeping a hand in the technical cookie jar. He is a passionate advocate for end-user infrastructure technology, with a rich history designing and engineering solutions on Citrix, NetScaler, VMware, and Microsoft tech stacks.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.