This article clarifies whether the Windows Credential Provider framework can be implemented for local account authentication on Windows Server.

• Okta Windows Credential Provider
• Multi-Factor Authentication (MFA)

Whether the Windows Server is connected to a domain or not, it can still be connected to the Okta account or a local account on the server.

1. Install and configure the Windows credential provider as documented here.

2. For non-domain-joined servers:

   1. Assign the Okta account to the RDP MFA application in Okta. Applications > Microsoft RDP (MFA) > Assignments > Assign > People.
      
       
      

   2. Define the application username as the local user username.
      
      
      
       
      
      

3. For domain-joined machines:

   1. Assign the Okta account to the RDP MFA application in Okta. Applications > Microsoft RDP (MFA) > Assignments > Assign > People.

   2. Define the application username to HOSTNAME\username.

Example:

Server hostname = Server01

Local user = Administrator

RADIUS Application username

non domain Joined = Administrator

Domain Joined = SERVER01\Administrator

NOTE: If the Application username format is set to Okta username prefix, do not use the HOSTNAME\ prefix for the username; instead, use the username itself. If the HOSTNAME\ prefix is added, a Multi-Factor Authentication Failed error message is sent.

Related References

• Okta MFA Credential Provider for Windows