We are attempting to stand up a web application that should only be accessible from a dedicated RDS server, but which requires users to authenticate via hard tokens. This of course means that the user's token will need to be forwarded from their local machine to the RDS server so the server can use it to authenticate the user. We currently have the app set up to be accessed through an RDWeb session which is configured to redirect just about everything to the remote server, including smartcards, but when we attempt to authenticate with a hard token it consistently fails with an error that says the following:
DOMException: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client
The page linked in the error message admittedly goes a bit over my head, but the general gist appears to be that it would be a security risk to enable this type of functionality. Nonetheless, our research indicates that there are many use cases for multi-factor authentication over an RDP connection as well as a series of conflicting answers as to whether or not it's possible, many of which seem to be contingent on how many years ago the question was asked. Hopefully I can get some up-to-date clarity from those more in-the-know than I am.