Can server 2019 use Yubi keys without Active Directory?

and how is AD not KISS? licensing alone with RDP is just simple with AD... not even sure if it can work without it.

How are 20+ people able to RDP into a server without kicking each other off constantly? Sounds like a nightmare. Let alone without Active Directory. I mean Active directory isn't that bad until you need to do any complex hierarchy or user control.

So the short answer is. Don't buy users a shiny new Yubi key. It would serve absolutely no purpose other then screw you over when the users forget their password from using the Key and somehow losing it one day. Considering you're using Workstation user access lists from what it sounds like.

Andrewcw said:

How are 20+ people able to RDP into a server without kicking each other off constantly?

Click to expand...

Remote Desktop Services/RemoteApp. And some MFA providers, like Duo, support throwing an MFA interstitial on the RDWeb login page, which would then fulfill the Yubikey requirement. But you bet I'd want to put AD behind it for account management.

Andrewcw said:

Don't buy users a shiny new Yubi key. It would serve absolutely no purpose other then screw you over when the users forget their password from using the Key and somehow losing it one day. Considering you're using Workstation user access lists from what it sounds like.

Click to expand...

you're behind

the trend is people don't have passwords and shouldn't be using them. my current job is trying to do away with them. Windows desktop is well along. For iOS enrollment you enter a OTP code generated from Azure. Then Authenticator integrates with comp portal to use the same session and it's more of less a passkey for your mobile device work account. Email authenticates to EXO without signing in.

When I was at a government agency six years ago we used zero passwords to get into servers. It was all smartcard based login. My account had to be changed to allow me to use one at all

this all sounds like some crazy idea to avoid M$ licensing fees which just won't work. Also consider... I can't think of any shared application requiring RDS that wouldn't also require SQL. RDS requires AD and RDS CALs and there is no way around that legally. If you really don't want AD or Azure and don't want a local client install either, then make the application with a web front-end. Setting up AD requires some knowledge and hardware resources, but isn't complicated for those who know and really is the best solution. If you have lots of remote users who aren't behind a IPSec firewall connecting remotely, then Azure Entra ID could be a better more modern solution... the main difference between the two is that on-prem has higher CAPEX spending and cloud shifts that to OPEX... my company definitely likes CAPEX more, so we are mostly on-site, but we are also 99% local too. Going out of your way not to have a central identify management system is almost always more trouble than it is worth unless you are some real unique fringe case. If AD really is that much of an issue, then I would be looking at how you can just install the application locally instead of using RDS (and yes, I get all the reasons why RDS can be beneficial, so I'm not saying that is the best way to go, but if you refuse AD, then RDS is not possible).