This article provides a guide to troubleshooting the underlying issues that cause the following error message:
Multi Factor Authentication Failed
This is commonly, but not exclusively, presented after installing the Okta MFA Credential Provider for Windows and attempting to log in via RDP.
- Okta MFA Credential Provider for Windows
- Multi-Factor Authentication (MFA)
- Remote Desktop Protocol (RDP)
The error message Multi Factor Authentication Failed most often appears after the initial installation of the Okta MFA Credential Provider for Windows when attempting to test logging in via RDP. However, this error can happen at other times as well, depending on the situation or scenario.
The error is a generic failure message, which can mean a number of different issues have occurred. This error does not always indicate an error with MFA, but can also indicate errors with Primary Authentication, Connection Issues, or Configuration conflicts and issues with the Okta RDP app or RDS Server. Errors may present due to missing prerequisites mentioned in the Prerequisites to Set MFA for Windows Credential Provider documentation.
Video demonstration on Troubleshooting MFA Credential Provider RDP Errors:
In case of an emergency, Okta Admins can bypass the Okta Credential Provider by referencing the article Disable Credential Provider Using the Registry Editor.
To positively identify the specific cause of a log-in failure, Okta administrators will need access to the server and/or the directory that houses the MFA Credential Provider agent installation. This directory can be found in:
C:\Program Files\Okta\Okta Windows Credential Provider\logs
Within this directory, there are two logs named:
- OktaWidget.log
- OktaCP.log
Details on log-in events, including errors, can be found within the OktaWidget.log file. If there was an error on a login attempt, one might query the log for the user name that was used for testing or is experiencing an error logging in.
For example, if the user "Oktalab.User" had an issue logging in, it is possible to pull up the log and run a search for their username:
As seen in this example, the Oktalab.User did not encounter an issue with Multi-Factor Authentication, as the UI error indicates, but rather, it appears that a common System.Net.WebException error has been encountered after the JSON Web Token (JWT) minting process was completed for primary authentication. From here, take the error and reference the following table to get more details on what could have caused it and how to resolve it:
|
RDP Error |
Summary |
|---|---|
| System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. | The error indicates the agent is on a network containing a web security appliance. |
|
The error indicates .NET is using insecure ciphers in TLS encryption negotiation | |
|
[Same as Above] | |
|
System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host. |
[Same as Above] |
|
[Same as Above] | |
| RDP Error: The Remote Server Returned an Error: (404) Not Found. | The error indicates the resource was not found. Most commonly, the Username format in the app config is incorrect, or the login URL is inaccurate. |
| RDP Error: The remote server returned an error: (403) Forbidden | The error indicates the credentials provided are not authorized. This usually indicates the user is not assigned to the app or does not have an MFA setup. |
| RDP Error: The Remote Server Returned an Error: (401) Unauthorized. | The error indicated the login was unauthorized. Most commonly, an incorrect username or password, but there are many known reasons for a 401. |
| RDP Error: Unable to CopySerializedCred hr=80004001 rdpSession=1 | The error found in the OktaCP.log - Error indicates an issue with the credential provider integration with the OS, usually due to multiple credential providers installed. |
| MFA for RDP Server Showing Blank MFA Prompt | The error indicates internet connectivity issues from the widget to the Okta tenant. |
| RDP Error: The encryption algorithm 'HS256' requires a key size of at least '128' bits. | This error indicates that the client secret entered during installation was incorrect. |
| RDP Error: Content was blocked because it was not signed by a valid security certificate. | The error indicates the server is unable to validate Okta's public security certificate. Usually caused by improperly configured trusted CAs or CRLs on the server. |
| Windows Credential Provider (RDP) Installation Error: Error 1001. Failed to validate configuration. ClientID or ClientSecret are not valid |
This error is returned during both GUI and CLI installations when attempting to install the Windows Credential Provider (RDP) agent. |
Related References
- Okta MFA Credential Provider for Windows
- Support for Remote Desktop Services with Okta MFA Credential Provider for Windows
