Using new Windows 11 RDP parameters redirectwebauthn and enablerdsaadauth with MsTscAx

Question

Using new Windows 11 RDP parameters redirectwebauthn and enablerdsaadauth with MsTscAx

Ed Seidman 6

Windows 11 has added two parameters to the RDP files for the in-box RDP client MsTsc.exe. How can these be enabled in MsTscAx, the ActiveX plugin?
• redirectwebauthn:i:value
• enablerdsaadauth:i:value

https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files
Also, is there any way for a program to pass the RDSAAD token into MsTscAx?

2 answers

Your answer

Answer 1

Marc-André Moreau 21

I don't work for Microsoft, but I reverse engineered what mstsc does for "redirectwebauthn". The code logic looks like this:

if (CTscSettings::GetWebAuthnRedirection()) {  
    WebAuthnRedirConfig::GetWebAuthnRedirDynVCPluginPath()  
    IMsTscAdvancedSettings::PluginDlls()  
}

There's a webauthn plugin registered - see more info here https://learn.microsoft.com/en-us/windows/win32/termserv/dvc-plug-in-registration
and here https://learn.microsoft.com/en-us/windows/win32/termserv/imstscadvancedsettings-plugindlls

You can obtain the webauthn plugin dll path this way:

Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\webauthn" -Name "Name"

The default value is "C:\WINDOWS\System32\webauthn.dll"

Beyond this, there is a registry key to disable WebAuthn redirection globally:

Set-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Terminal Server Client" -Name "DisableWebAuthnRedirection" -Value 1
Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Terminal Server Client" -Name "DisableWebAuthnRedirection"

I hope this helps. As for enablerdsaadauth:i:1 I have done a lot of Azure Virtual Desktop reversing, and I really doubt it's possible to make it work outside of AVD. You would also need to use rdclientax.dll instead of mstscax.dll, but even then, I couldn't manage to get an AVD connection done through the RDP ActiveX interface.

https://blog.devolutions.net/2022/08/extending-the-microsoft-rdp-client-with-api-hooking/

Please let me know if you do make some progress on that front though!

Cheers

Ed Seidman 6 Reputation points

2023-01-24T20:03:25.37+00:00

Hi Marc,

Regarding webauthn. webauthn.dll is not registered as a plugin on my system, and webauthn redirection still happens, so I don't think this is actually a plugin that handles this. And the item was not disabled in the registry.

Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Terminal Server Client" -Name "DisableWebAuthnRedirection" Get-ItemPropertyValue : Property DisableWebAuthnRedirection does not exist at path.

I am on Windows 11. Was your work on Windows 11? or Windows 10? Maybe these are different?
Ed Seidman 6 Reputation points

2023-01-31T18:58:30.45+00:00

Hi Marc,

Thanks for this answer. I tried it a couple of months ago when you first posted it and it didn't work. Tried it again today, and it solved our WEbAuthN passthrough issue. Microsoft even has a page on it now: https://learn.microsoft.com/en-us/windows/win32/api/tsvirtualchannels/nn-tsvirtualchannels-iwtsplugin#remarks
Marc-André Moreau 21 Reputation points

2023-01-31T19:30:14.7833333+00:00

Hi Ed,

I'm glad that I could help! Indeed, it's now at least mentioned somewhere in the docs ;)
Oliver Mahr 10 Reputation points

2023-12-08T09:35:15.36+00:00

Hi Ed - what have you done that it is working for you? I'm trying to implement too - but can't get it running!
Oliver Mahr 10 Reputation points

2023-12-08T09:42:16.06+00:00

To add more details - I'm using mstscax in a .net application - setting the PluginDlls parameter for webauthn-path - this is working for other plugins but not for webauthn.dll - do I need to initialize the dll myself in any way? I also asked MS but they told me that is not officially supported :-(
Tim 116 Reputation points

2024-12-16T21:53:20.4533333+00:00

@Ed Seidman @oliver mahr

I'm trying to get the same thing to work in a thin client that uses mstscax. How does this work? It seems Ed may have solived it and Oliver was still searching for an answer last this thread left off. I've tried adding webauthn.dll to the PluginDlls option and also tried creating a virtual channel, but I'm not understanding how you interface with the plugin after loading it. The documentation linked above seems to be if you are implementing virtual channels on some other client and not necessarily related to the mstscax, but i could be wrong about that.

Answer 2

I spoke too fast with regards to enablerdsaadauth:i:1 - it's documented as supported for regular RDP connections outside of AVD, and should enable the newer Azure AD SSO feature that doesn't rely on CredSSP+PKU2U for Azure AD accounts: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files

There is a new "EnableRdsAadAuth" BOOL property you can set through IMsRdpExtendedSettings

Hopefully just setting to true will be enough to make it work through the RDP ActiveX. As for manually injecting the RDS AAD tokens, there appears to be internal COM interfaces that deal with it, but I don't think they're documented or officially exposed externally:

Share via

Using new Windows 11 RDP parameters redirectwebauthn and enablerdsaadauth with MsTscAx

2 answers

Your answer