Citrix Virtual Apps and Desktops

FIDO2 and WebAuthn authentication

Local authorization and virtual authentication using FIDO2 and WebAuthn

Users can authenticate to applications that leverage FIDO2 or WebAuthn in their virtual session using FIDO2 security keys and integrated biometrics devices with TPM 2.0 and Windows Hello.

For more information about FIDO2, see FIDO2: WebAuthn & CTAP.

For information about using this feature, see FIDO2 redirection.

NOTE

Please note that this feature does not support logging into the virtual session using WebAuthn or FIDO2. This feature only allows using these authentication methods in applications within the virtual session.

This feature is not supported in double-hop scenarios.

Supportability matrix

Session host operating system Web application authentication UWP application authentication
Windows Server 2016 Supported via USB redirection Not supported
Windows Server 2019 Supported Not supported
Windows Server 2022 Supported Supported
Windows 10 Supported Supported
Windows 11 Supported Supported

For additional information, please review the requirements below.

Web application authentication

Requirements

The following are the requirements for using FIDO2 and WebAuthn authentication with web applications:

Citrix control plane

  • Citrix Virtual Apps and Desktops 2009 or later

Session host

  • Operating system
    • Windows 10 1809 or later
    • Windows Server 2019 or later
  • VDA
    • Windows: version 2009 or later

Client device

  • Operating system
    • Windows 10 1809 or later
    • Linux: Please refer to the Workspace app for Linux system requirements
  • Workspace app
    • Windows: version 2009.1 or later
    • Linux: 2303 or later

Web browser requirements

  • 64-bit browsers only

Authentication methods supported

  • FIDO2 Security Key
  • Windows Hello
    • TPM 2.0
    • Integrated biometrics
      • Facial recognition
      • Fingerprint scanner
    • WebAuthn

UWP application authentication

With the release of Citrix Virtual Apps and Desktops 2112, Citrix supports WebAuthn and FIDO2 authentication in UWP applications.

Applications such as Microsoft Teams, Microsoft Outlook for Office 365 and OneDrive use a UWP application for authentication as a link to Azure Active Directory. Citrix now supports using FIDO2 to authenticate those applications.

Requirements

The following are the requirements for using FIDO2 and WebAuthn authentication with UWP applications:

Citrix control plane

  • Citrix Virtual Apps and Desktops 2112 or later

Session host

  • Operating system
    • Windows 10 1809 or later
    • Windows Server 2022 or later
  • VDA
    • Windows: version 2112 or later

Client device

  • Operating system
    • Windows 10 1809 or later
    • Linux: Please refer to the Workspace app for Linux system requirements
  • Workspace app
    • Windows: version 2009.1 or later
    • Linux: 2303 or later

Authentication methods supported

  • FIDO2 Security Key
  • Windows Hello
    • TPM 2.0
    • Integrated biometrics
      • Facial recognition
      • Fingerprint scanner
    • WebAuthn

Note:

In scenarios where FIDO2 redirection is not available because the feature is not supported by the client or VDA or the operating system, USB based FIDO2 keys can be redirected using USB redirection. It is also possible to use USB redirection to redirect USB based FIDO2 keys in scenarios where FIDO2 redirection is available. In this case, you must disable FIDO2 redirection and configure the appropriate USB redirection rules. Please refer to the USB redirection device rules documentation for details on how to configure FIDO2 keys using USB redirection rules.

Advanced configuration for msedgewebview2.exe based applications

Note:

Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

For enterprises that have web applications based on msedgewebview2.exe, additional registry values need to be added on the VDA for FIDO2 redirection to work inside HDX sessions -

Append the full path of the msedgewebview2.exe in the AllowedProcesses registry value:

  • Key: HKLM\SOFTWARE\Citrix\WebAuthnAllowedProcesses
  • Value name: AllowedProcesses
  • Value type: REG_MULTISZ
  • Value data: <add full path of the msedgewebview2.exe here >

For 64-bit applications, the following values need to be set:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook\msedgewebview2.exe

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook
  • Value name: FilePathName
  • Value type: REG_SZ
  • Value data: C:\Program Files\Citrix\HDX\bin\CtxWebAuthnHook.dll

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook
  • Value name: Flag
  • Value type: DWORD
  • Value data: 00000002

For 32-bit applications, the following values need to be set:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook\msedgewebview2.exe

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook
  • Value name: FilePathName
  • Value type: REG_SZ
  • Value data: C:\Program Files\Citrix\HDX\bin\CtxWebAuthnHook.dll

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\CtxHook\AppInit_DLLs\CtxWebAuthnHook
  • Value name: Flag
  • Value type: DWORD
  • Value data: 00000002

Reboot the VDA after setting the registry values for FIDO2 redirection to be enabled for msedgewebview2.exe based applications.

FIDO2 and WebAuthn authentication