This article addresses the following error encountered when enrolling a device in Device Trust within Okta Classic Engine:
Exception running the Device Trust client for user <UserName>\test : System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.WebClient.UploadDataInternal(Uri address, String method, Byte[] data, WebRequest& request)
at System.Net.WebClient.UploadString(Uri address, String method, String data)
at System.Net.WebClient.UploadString(String address, String data)
at OktaDeviceTrustClient.OktaDeviceTrustCertificateManager.RequestAndInstallCertificate(String userToken, Boolean skipTpm)
at OktaDeviceTrustClient.OktaDeviceTrustClient.ExecuteUserTasks(Boolean forceRenewal, Boolean skipTpm)
at OktaDeviceTrustClient.Program.<>c__DisplayClass8_0.<Main>b__0()
- Device Trust
- Devices and Mobile Apps
- Okta Classic Engine
Okta is rejecting the token with a 401 Unauthorized error. A couple of reasons the token might be rejected are:
- The server’s clock is not synchronized. If the clock is behind, the issued token might already be expired, or it might not yet be valid if it is ahead.
- A custom domain is in use.
Ensure that the device has the correct time and the time is set to automatic.
- Set device time to automatic.
- Clear the cache and cookies in the browser.
- Close the browser.
During the installation of the Okta Device Registration Task, the custom domain must be provided. If the standard domain name is provided instead of the custom domain, the IWA server will issue a token with the audience set as the custom domain, and the Okta Device Registration Task will try to use that token to contact Okta on the standard domain. Okta will then reject the token because the audience is incorrect.
