This article details an errant behavior condition when signing into a Remote Desktop Protocol (RDP) server session with Okta Multi-factor Authentication (MFA) Credential Provider for Windows configured. The Okta Sign-In Widget window for the login and MFA prompt shows as blank, and no further action can be taken.

 

The OktaWidget.log file shows the following System.Net.WebException RDP error, similar to:
 

exception thrown is = System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 44.234.52.10:443 at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)


If unaware of how to access the OktaWidget.log file to troubleshoot errors, please see the parent article for Troubleshooting Okta MFA Credential Provider RDP Errors.

• Okta MFA Credential Provider for Windows
• Microsoft Windows Server OS
• Network Environment

1. CRL/OCSP request is failing or blocked:

• Most likely, the Okta Tenant will fail to fully load in a browser if that is the case.
• Verify / correct resources (CRL, domains) allow-listed from Okta's help page.
• In addition to ensuring that the FQDNs for the Digicert certificate revocation endpoints are allowed (above), ensure that none of the Digicert IP addresses are specifically blocked on TCP port 80:
  • DigiCert has a list of the IP addresses here: DigiCert Certificate Status IP Addresses.
• Ensure to enable OCSP Stapling on the Server.
• Check the Windows server connection to the OCSP server. Open a browser and go to http://ocsp.digicert.com/ping.html. The message “You have successfully reached the DigiCert OCSP Service” should be received, or a file will be downloaded (containing a single zero '0' character). The important point is that the connection should be successful, not just show the browser tab trying to connect and failing/hanging.
• Run a command and type in: nslookup ocsp.digicert.com.
  • An IP Address will be seen. Please ensure that this IP is not blocked from the network. 

2. https:// not used when configuring the Okta Credential Provider application initially.

• Reinstall the agent, and make sure that ‘https://’ is used for the URL (not "http://"" or "www." or just "<tenant>.okta.com")

3. A bad NAT rule on the firewall.

• Review the rules on the firewall, and once the faulty one is found, disable it.

5. Check to see if the PKCS key exchange algorithm is disabled:
   • Using the registry, it would be a PKCS key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms with a dword Enabled set to 0. 

Related References

• Troubleshooting Okta MFA Credential Provider RDP Errors
• Okta MFA Credential Provider for Windows