MFA for RDP Sessions -- Can this feature be used for only few servers in the domain ? Any known Issues so far ? Skip to main content
https://support.okta.com/help/answers?id=9062a000000dfhqqag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Anil AgAnil Ag 

MFA for RDP Sessions -- Can this feature be used for only few servers in the domain ? Any known Issues so far ?

Hello,

I am trying to implement " Microsoft RDP (MFA) app / OKTA Windows Credential Provider Agent " in our domain had the below question on it.

I would really appericiate if anyone can help me by answering this questions.

Our prod server has around 10 remote servers and 1 of this servers is the Critical Server. ( Example Server 1 - Server 9 = Normal Servers, Server 10 = Critical Server that needs MFA ). 
We want to use Microsoft RDP (MFA) app / OKTA Windows Credential Provider Agent to secure this 1/10 server in the domain by enforcing the people with provide MFA during the logins. 

Example : User "Pete" has access to all 10 servers in the same the same domain. 
Use Case 1 : Pete tries to login into server 1 to server 9 -- NO MFA required. 
User Case 2 : Pete Kumar tries to login into server 10 -- Okta should prompt for MFA. 

Note : All 10 servers are on same domain. 

Is this scenario possible via " Microsoft RDP (MFA) app / OKTA Windows Credential Provider Agent " 


Also are there any known limitations / Issues  found so far with this app ?

Please let me know.
Best Answer chosen by Anil Ag
Paul AuerPaul Auer (Okta, Inc.)
Thank you for contacting Okta Support.

Your scenario is achievable; the only thing that you have to do is to install the OKTA Windows Credential Provider Agent only on the critical server, the one that needs MFA. You can find the proper way to do so here: https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm

Regarding known issues, there aren't any and the only limitation that I have found would be that the Sign On policy that governs the RDP MFA is the RDP MFA app Sign On policy, not the tenant level one.

Thank you,
Paul Auer
Technical Support Engineer | Okta
 

All Answers

Paul AuerPaul Auer (Okta, Inc.)
Thank you for contacting Okta Support.

Your scenario is achievable; the only thing that you have to do is to install the OKTA Windows Credential Provider Agent only on the critical server, the one that needs MFA. You can find the proper way to do so here: https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm

Regarding known issues, there aren't any and the only limitation that I have found would be that the Sign On policy that governs the RDP MFA is the RDP MFA app Sign On policy, not the tenant level one.

Thank you,
Paul Auer
Technical Support Engineer | Okta
 
This was selected as the best answer
Anil AgAnil Ag
Thank you Paul
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello,

Thanks for posting your inquiry in Okta Community Portal.

​If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

​Dylann Fezeu
Okta Help Center Team
Anil AgAnil Ag
Hello,

After working on implementing this feature, I found the below:-
Hope this helps the community  to know about this points in advance if they are planning to implement this feature.


1) MFA for RDP app works perfect when the policies are configured right.
2) App username in Okta should exactly match to the windows login username, Else system won't allow the login .
  Example :-
If the app username is   "user1@domain.com " and you are trying to login into windows with  " user1", In this case, the login won't be successfull, So it has to be configured accordingly. 

3) There is no backup mode for this setup,  You would loose the access to the machine if any of the below happens. :- 

1) Client deployed on the virtual machine gets corrupted. 
2) Configured Okta Env is not accessible from the client. 
3) Someone accidentally deletes the MFA aap on Okta 

etc.. 

IN all the above cases we would loose the access to the machine permanently and would have to format the machine to get hold of it. 

4)  " Okta Windows Credential Provider " can be uninstalled from the machine by any windows administrator, No specific admin can be mentioned for this app. ( It would be nice to have this control like it works for antivirus apps etc, Where only app admin can uninstall not the windows admin. ).

5) There is no way to know the agent health from Okta console.

6)  The agent has to be manually installed/configured on all the machines / or some external tool has to be used if you have too many machines and want to automate it.

Hope that helps.

Regards,
Anil Ag