This article addressed the case where the user's Okta Device Trust Certificate is not being generated on Windows. This will result in the Okta System Log showing:
Authentication of device via certificate failure: NO_CERTIFICATE
- Device Trust
- Okta Classic Engine
- Multi-Factor Authentication(MFA)
- Devices
To better understand the situation the Windows event viewer logs can provide a better understanding. In the case of the Okta Device Trust Certificate, an error such as the one below can be seen.
Exception running the Device Trust client for user MMC\[UserProfile] : System.DirectoryServices.AccountManagement.PrincipalServerDownExceptions: The server could not be contacted. --->
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
This can be caused by the Okta Device Registration Task not being up to date or the old certificate still being present, if a certificate is present, the registration task will not generate a new one.
- Remove the old certificate.
- Download and Install the latest version of Okta Device Registration Task installer.
- Run the command:
OktaDeviceReg.exe --user - Refresh MMC (Certificate Store).
- The new certificate should now appear in the certificate store (MMC).
Related References
