The Remote Desktop Protocol (RDP) error initially presents as the following generic message in the user interface when attempting to log in:
Multi-Factor Authentication Failed
In the OktaWidget.log, it appears as:
The remote server returned an error: (404) Not Found
If unaware of how to access the OktaWidget.log file to troubleshoot errors, please refer to the parent article here:
The full error usually appears as:
exception thrown is = System.Net.WebException: The remote server returned an error: (404) Not Found.<CR><LF> at System.Net.HttpWebRequest.GetResponse()<CR><LF> at OktaWidget.JwtService.GetStateTokenUsingJwt(String username)<CR><LF> at OktaWidget.OktaWidgetForm..ctor(String username, Int64 parent, Int64 widgetFlow)<CR><LF> at OktaWidget.OktaWidgetClass.displayWidget(Int64 parent, String username, Int64 flow)
InvalidOperationException thrown System.Net.WebException: The remote server returned an error: (404) Not Found. at System.Net.HttpWebRequest.GetResponse()at OktaWidget.JwtService.GetStateTokenUsingJwt(String username)at OktaWidget.OktaWidgetForm..ctor(String username, Int64 parent, Boolean doMfaChallenge)at OktaWidget.OktaWidgetClass.displayWidget(Int64 parent, String username)
- Okta MFA Credential Provider
- Remote Desktop Protocol (RDP)
At a high level, the HTTP status code 404 (Not Found) indicates that the origin server did not find a current representation for the target resource or is unwilling to disclose that one exists.
There are a couple of known reasons for this error message occurring in the OktaWidget.log, including:
- The username format is incorrect (Most Common).
- Connection Issues from the Server back to Okta.
The username format is incorrect
As referenced in Assign users/groups to the Microsoft RDP (MFA) app, when the End User signs in, the application user format must match exactly.
Best practice: Okta recommends using the username prefix, which is similar to how Windows uses the SAMAccountName for login.
SAMAccountName syntax: DOMAIN\USERNAME
userPrincipalName (UPN) syntax: USERNAME@DOMAIN
To modify the Username format, please follow these steps:
- Log in to the Okta Admin console.
- Navigate to Applications > Applications.
- Select the Microsoft RDP (MFA) app.
- Choose the Sign On Tab, and click the Edit Button to the right of the settings.
- Change the username to the correct format, then choose Save and Update Now.
For Reference, these are the available options for username formats:
- Ensure the correct Username Format is selected. Mismatched settings are the most common cause of a 404 response to logins in the OktaWidget.log.
NOTE: If the username format is modified, all users need to be removed from assignments and then added again to the app.
Connection Issues from the Server back to Okta
Verifying the tenant is reachable/able to be logged in via a browser from the server is a great place to start. If there are errors or the page is not loading, this must be resolved for successful integration. Ensure the traffic from the server is allowed to route out to Okta and receive traffic back. Communication will be taking place on Port 443 to various IP addresses.
Please review the manual chapter on Allowing access to Okta IP addresses for more details on IPs and Domain Names to potentially allow.
