# Configuring WebAuthn Redirection
Beginning with Amazon DCV Server 2023.1, users can authenticate on web applications that use the Web Authentication (WebAuthn) standard in supported browsers within remote sessions. This is done by redirecting the authentication prompts to locally connected authenticators, such as Windows Hello or YubiKey, or any other FIDO2 compliant authenticator.
WebAuthn redirection operates independently of USB redirection. There is no requirement to install any vendor-specific drivers on the Amazon DCV server. Redirection of WebAuthn requests is facilitated through the native API of the browser.
Before using WebAuthn, double check the [Supported Features](servers.md#features) table to make sure you meet all of the requirements.
**Topics**
+ [Configuring WebAuthn redirection on Windows hosts](webauth-windows.md)
+ [Configuring WebAuthn redirection on Linux hosts](webauth-linux.md)
# Configuring WebAuthn redirection on Windows hosts
WebAuthn can be enabled or disabled using the `webauthn-redirection` permission. For more information, see [Working with permissions files](https://docs.aws.amazon.com/dcv/latest/adminguide/security-authorization-file-create.html).
## Configuring WebAuthn Redirection
WebAuthn is enabled on DCV by default. You can enable or disable WebAuthn using the following registry:
```
HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\webauthn
Key: enabled
Value: 1 to enable, 0 to disable
```
Additionally, you can configure which apps and processes are allowed to redirect the WebAuthn prompt using the process-compatibilitylist key by adding string values.
Example key:
```
HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\webauthn\process-compatibilitylist
```
Default Value (String):
```
['chrome.exe','msedge.exe','island.exe','firefox.exe','dcvwebauthnnativemsghost.exe','msedgewebview2.exe','Microsoft.AAD.BrokerPlugin.exe']
```
With the above default values, applications like Google Chrome (‘chrome.exe’), Microsoft Edge (‘msedge.exe’), Island Browser (‘island.exe’), and Mozilla Firefox (‘firefox.exe’) are supported for WebAuthn redirection. ‘dcvwebauthnnativemsghost.exe’ is required for browser extension-based Standard WebAuthn, ‘msedgewebview2.exe' is required for embedded Microsoft Edge browsers and 'Microsoft.AAD.BrokerPlugin.exe' is required to enable WebAuthn on Microsoft Teams and Microsoft Office365 apps.
You can add executables to the process compatibility list to add support for more apps and processes.
There are 2 modes for WebAuthn on Windows hosts:
### Enhanced WebAuthn Redirection
Starting with DCV 2025.0, you can use Enhanced WebAuthn on Windows DCV servers. Enhanced WebAuthn eliminates the need for a browser extension, simplifying the initial setup and improving performance. It also introduces support for WebAuthn on native Windows applications, allowing users to use WebAuthn authentication in both web browsers and Windows desktop applications.
**Note**
For upgrading from Standard WebAuthn to Enhanced WebAuthn, users will need to disable or uninstall the browser extension previously installed for Standard WebAuthn.
**Note**
Windows Server 2016 does not support system level WebAuthn. To use WebAuthn redirection on Windows Server 2016, you must use Standard WebAuthn.
**Using Enhanced WebAuthn**
Once enabled, Enhanced WebAuthn works seamlessly without any additional configuration on your part. You can use your WebAuthn devices for authentication in:
+ Web browsers (Chrome, Edge)
+ Native Windows applications that support WebAuthn
+ Windows system dialogs requiring WebAuthn authentication
### Standard WebAuthn Redirection
Starting with DCV 2023.1, you can use Standard WebAuthn on Windows DCV servers. Standard WebAuthn redirection requires a browser extension to be installed on the remote server. When the feature is enabled and the browser extension is installed, any WebAuthn requests initiated by the web applications running in the browser within the session are seamlessly directed to the local client. Users can then use utilize devices like Windows Hello or YubiKey to finalize the authentication.
Supported browsers:
+ Google Chrome 116 or later
+ Microsoft Edge 116 or later
#### Setting up the WebAuthn redirection browser extension
Follow these procedures to set up Standard WebAuthn redirection.
##### Automatic Prompt on First Browser Launch
After installing the Amazon DCV Server 2023.1 with WebAuthn redirection enabled, users will be prompted to enable the browser extension when they first launch their browser. If they choose not to install the extension or uninstall it later, WebAuthn redirection will not work. An administrator can enforce installation using the Group Policy.
##### Installing Using the Group Policy
For organizations looking to deploy the extension on a broader scale, you can utilize the Group Policy.
**Using Microsoft Edge:**
1. Download and install the [Microsoft Edge administrative template.](https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge#1-download-and-install-the-microsoft-edge-administrative-template)
1. Launch the Group Policy Management tool (gpmc.msc).
1. Navigate through: Forest > Domains > Your FQDN (e.g., example.com) > Group Policy Objects.
1. Select desired policy or create a new one then right-click on it and select "Edit".
1. Follow this path: Computer Configuration > Administrative Templates > Microsoft Edge > Extensions.
1. Access "Configure extension management settings", set it to "Enabled".
1. In the field for Configure extension management settings, enter the following:
```
{"ihejeaahjpbegmaaegiikmlphghlfmeh":{"installation_mode":"force_installed","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"}}
```
1. Save the changes and reboot the server.
**Using Google Chrome:**
1. Obtain and implement the [Google Chrome administrative template](https://chromeenterprise.google/browser/download/#manage-policies-tab)
1. Similar to the steps for Microsoft Edge, navigate through the Group Policy Management tool.
1. Proceed to: Computer Configuration > Administrative Templates > Google Chrome > Extensions.
1. Access "Configure extension management settings", set it to "Enabled".
1. In the field for Configure extension management settings, enter the following:
```
{"mmiioagbgnbojdbcjoddlefhmcocfpmn":{ "installation_mode":"force_installed","update_url":"https://clients2.google.com/service/update2/crx"}}
```
1. Save the changes and reboot the server.
##### Installing Manually
Extensions can be sourced from the respective browser stores:
+ [ Microsoft Edge Add-ons](https://microsoftedge.microsoft.com/addons/detail/dcv-webauthn-redirection-/ihejeaahjpbegmaaegiikmlphghlfmeh)
+ [ Chrome Web Store](https://chrome.google.com/webstore/detail/dcv-webauthn-redirection/mmiioagbgnbojdbcjoddlefhmcocfpmn)
For manual installation:
1. Connect to your Amazon DCV session.
1. Open your preferred browser, and navigate to the relevant browser store (links above).
1. Proceed by selecting "Get" (Microsoft Edge) or "Add to Chrome" (Google Chrome).
1. Follow the on-screen instructions. A confirmation will appear once the extension is successfully added.
##### Using WebAuthn redirection in Incognito mode (Chrome only)
When using Incognito mode, the Amazon DCV WebAuthn Redirection Extension needs to be specifically allowed to run within it, otherwise WebAuthn Redirection will not occur. To do this:
1. Open the extension settings.
1. Find **Allow in Incognito** in the details.
1. Toggle the switch to **On**.
## Webauthn Windows Troubleshooting
If you encounter any issues with WebAuthn or Enhanced WebAuthn:
+ Ensure your DCV server and client are up to date.
+ For Standard WebAuthn, verify that the browser extension is installed and enabled.
+ For Enhanced WebAuthn, confirm that it’s enabled in the permissions file.
+ Try restarting your browser or your DCV session.
+ If problems persist, contact AWS Support.
# Configuring WebAuthn redirection on Linux hosts
DCV Linux server currently support Standard WebAuthn. Standard WebAuthn requires a browser extension to facilitate the redirection of WebAuthn prompts onto the client. WebAuthn can be enabled or disabled using the webauthn-redirection permission. For more information, see [Working with permissions files](https://docs.aws.amazon.com/dcv/latest/adminguide/security-authorization-file-create.html).
**Prerequisites**
+ DCV server version 2025.0 or higher
+ DCV native clients for Windows, Linux and Mac
+ Root access (sudo) on the Linux server instance
+ Internet access to download browser extensions
## Configuring WebAuthn Redirection
WebAuthn is enabled on DCV by default. You can enable or disable WebAuthn by enabling the “[webauthn]” setting in the DCV configuration file:
```
/etc/dcv/dcv.conf
[webauthn]
enabled=true
```
**Configuring Webauthn for Linux**
1. Create a symbolic link to the native messaging host manifest file for each supported browser.
------
#### [ Google Chrome ]
Use the following commands:
```
sudo mkdir -p /etc/opt/chrome/native-messaging-hosts
```
```
sudo ln -s -f /usr/share/dcv/webauthn/com.dcv.webauthnredirection.nativemessagehost.json /etc/opt/chrome/native-messaging-hosts/
```
------
#### [ Chromium ]
Use the following commands:
```
sudo mkdir -p /etc/chromium/native-messaging-hosts
```
```
sudo ln -s -f /usr/share/dcv/webauthn/com.dcv.webauthnredirection.nativemessagehost.json /etc/chromium/native-messaging-hosts/
```
------
#### [ Microsoft Edge ]
Use the following commands:
```
sudo mkdir -p /etc/opt/edge/native-messaging-hosts
```
```
sudo ln -s -f /usr/share/dcv/webauthn/com.dcv.webauthnredirection.nativemessagehost.json /etc/opt/edge/native-messaging-hosts/
```
------
1. Install the browser extension for WebAuthn redirection. This can be done manually or through enterprise policies.
------
#### [ Google Chrome ]
Use the following commands:
```
sudo mkdir -p /usr/share/google-chrome/extensions/
```
```
echo '{"external_update_url": "https://clients2.google.com/service/update2/crx"}' | \
```
```
sudo tee /usr/share/google-chrome/extensions/mmiioagbgnbojdbcjoddlefhmcocfpmn.json
```
```
sudo chmod a+r /usr/share/google-chrome/extensions/mmiioagbgnbojdbcjoddlefhmcocfpmn.json
```
------
#### [ Chromium ]
Use the following commands:
```
sudo mkdir -p /usr/share/chromium/extensions/
```
```
echo '{"external_update_url": "https://clients2.google.com/service/update2/crx"}' | \
```
```
sudo tee /usr/share/chromium/extensions/mmiioagbgnbojdbcjoddlefhmcocfpmn.json
```
```
sudo chmod a+r /usr/share/chromium/extensions/mmiioagbgnbojdbcjoddlefhmcocfpmn.json
```
------
#### [ Microsoft Edge ]
Use the following commands:
```
sudo mkdir -p /usr/share/microsoft-edge/extensions/
```
```
echo '{"external_update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx"}' | \
```
```
sudo tee /usr/share/microsoft-edge/extensions/ihejeaahjpbegmaaegiikmlphghlfmeh.json
```
```
sudo chmod a+r /usr/share/microsoft-edge/extensions/ihejeaahjpbegmaaegiikmlphghlfmeh.json
```
------
1. Restart the browser.
WebAuthn is supported on Windows and Linux hosts, and on Windows, Mac and Linux clients.
+ Google Chrome 116 or later
+ Microsoft Edge 116 or later
WebAuthn redirection can be enabled or disabled using the `webauthn-redirection` permission. For more information, see [Working with permissions files](security-authorization-file-create.md).
WebAuthn redirection requires a browser extension to be installed on the remote server. When the feature is enabled and the browser extension is installed, any WebAuthn requests initiated by the web applications running in the browser within the session are seamlessly redirected to the local client. Users can then use utilize devices like Windows Hello or YubiKey to finalize the authentication.
**Note**
While this feature allows WebAuthn within a browser during a remote session, it does not support DCV session authentication using WebAuthn authenticators.