This article reviews the RDP error:
The remote server returned an error: (401) Unauthorized, in the OktaWidget.log
This error initially presents as a generic message in the UI when attempting to log in:
Multi Factor Authentication Failed
If unaware of how to access the OktaWidget.log file to troubleshoot errors, please refer to the parent article here: Troubleshooting Okta MFA Credential Provider RDP Errors
The full error usually appears as:
exception thrown is = System.Net.WebException: The remote server returned an error: (401) Unauthorized.<CR><LF> at System.Net.HttpWebRequest.GetResponse()<CR><LF> at OktaWidget.JwtService.GetStateTokenUsingJwt(String username)<CR><LF> at OktaWidget.OktaWidgetForm..ctor(String username, Int64 parent, Int64 widgetFlow)<CR><LF> at OktaWidget.OktaWidgetClass.displayWidget(Int64 parent, String username, Int64 flow)
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta MFA Credential Provider
- Remote Desktop Protocol
The HTTP 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.
There are many known reasons for this error message occurring in the OktaWidget.log, including:
- Bad username/password provided;
- Any config option typed incorrectly (Client ID, Client Secret, or Okta URL);
- Trailing slash included in the URL during the install;
- The user is not authorized to RDP to the server;
- Duplicate users;
- Time/Date skewed.
Bad username/password provided
Ensure the username and the password entered are 100% accurate.
Any config option typed incorrectly during the install
Client ID, Client Secret, or Okta URL
The values for each of the parameters can be found as follows:
- From the Okta Admin console, Navigate to Applications > Applications > Select the Microsoft RDP (MFA) app
- CLIENT_ID: Find this value on the General tab of the Microsoft RDP (MFA) application in Okta. This value can also be manually edited in the RDP agent config file. for details on locatign amd
- See the article: How To Locate and Modify The Okta MFA Credential Provider for Windows Agent Configuration File for details on locating the config file and what the parameters mean.
- CLIENT_SECRET: Find this value on the General tab of the Microsoft RDP (MFA) application in Okta. If the client secret is reset, one must reinstall the agent because the secret is encrypted in the agent config file. One can also manually edit this value in the RDP agent config file.
- See the article: How To Locate and Modify The Okta MFA Credential Provider for Windows Agent Configuration File for details on locating the config file and what the parameters mean.
- OKTA_URL: Org URL. Must use the format https://org_name.okta.com - Do not include a trailing slash in the URL during the installation. For Example:
- https://oktalab.okta.com/ < Incorrect
- https://oktalab.okta.com < Correct
- See the article: How To Locate and Modify The Okta MFA Credential Provider for Windows Agent Configuration File for details on locating the config file to modify this parameter
Note! When copying the Client ID or Secret from Mac or Linux into a Windows RDP/Console session, sometimes copy+paste causes errant behavior to the characters/font, and the way Windows sees them is incorrect. For this reason, it may be best to simply go to the Okta Admin console from the Windows server itself and copy and paste from within the session directly. Alternatively, copy+paste into the Windows Notepad app and then copy+paste from Notepad into the installer or config file.
User is not authorized to RDP to server
Verify that Allow remote connections to this computer and Allow connections only from computers running Remote Desktop with Network Level Authentication are enabled as shown in the System Properties dialog:
Ensure the User, or a Group the user is in, is assigned in the Remote Desktop Users found under the Select Users button.
Also, be sure the user is assigned to the app in Okta.
Duplicate users
This can happen when the same user from multiple domains configured with the same username is imported into Okta. To check, search the user name from the Okta Admin Console under Directory > People.
If there is more than one entry for the same username, this is unsupported. Examine the two and remove the duplicate.
Time/Date skewed
The Windows Server system time must be accurate. Ensure NTP is configured and in sync, or manually adjust the time back to accurate.
