This article details the technical journey of building the first non-Windows RDP client to support WebAuthn redirection within the Prisma Browser. The development team encountered significant hurdles, including incomplete protocol specifications for [MS-RDPEWA] and limitations in standard browser APIs that prevented passing raw hashesโa requirement for compatibility with older Windows servers that do not send full JSON data.
To overcome these challenges, the team utilized AI-assisted reverse engineering on Microsoft's mstsc.exe and webauthn.dll. They discovered a private, undocumented DVC plugin path that handles raw hash requests differently than the public API. The final solution involved creating a custom Chromium extension API and a TypeScript protocol layer, enabling full FIDO2 support across various platforms and server versions, predating similar support in other open-source clients.
Top comments (0)