The Multi Factor Authentication Failed error occurs after installing the Okta MFA Credential Provider for Windows and attempting to log in via Remote Desktop Protocol (RDP). This generic failure message indicates issues with primary authentication, connection problems, configuration conflicts, or missing prerequisites. Review the local agent logs to identify the specific error and apply the corresponding resolution from the troubleshooting table.
Multi Factor Authentication Failed
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta MFA Credential Provider for Windows
- Multi-Factor Authentication (MFA)
- Remote Desktop Protocol (RDP)
The Multi Factor Authentication Failed error most often appears after the initial installation of the Okta MFA Credential Provider for Windows when attempting to test logging in via RDP. The error is a generic failure message, and does not always indicate an error with MFA; it also indicates errors with primary authentication, connection issues, configuration conflicts, or issues with the Okta RDP application or Remote Desktop Services (RDS) server. Errors present due to missing prerequisites mentioned in the Prerequisites to Set MFA for Windows Credential Provider documentation.
How are MFA Credential Provider RDP errors resolved?
Watch the following video demonstration to learn how to troubleshoot MFA Credential Provider RDP errors.
NOTE: In an emergency, the Credential Provider can be bypassed. Reference the article Disable Credential Provider Using the Registry Editor for detailed instructions.
Identify the specific cause of a login failure by accessing the server or the directory that houses the MFA Credential Provider agent installation and reviewing the logs.
- Navigate to the following directory on the server:
C:\Program Files\Okta\Okta Windows Credential Provider\logs
- Open the
OktaWidget.logfile to view login events and errors.- NOTE: The directory also contains the
OktaCP.logfile.
- NOTE: The directory also contains the
- Query the log for the username experiencing the login error.
- Review the log output to identify the specific error message. For example, if the log reveals a System.Net.WebException error after the JSON Web Token (JWT) minting process completes for primary authentication, the issue is not with MFA.
- Reference the following table to identify the cause and resolution for specific RDP errors.
|
RDP Error |
Summary |
|---|---|
| System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. | The error indicates the agent is on a network containing a web security appliance. |
|
The error indicates .NET is using insecure ciphers in TLS encryption negotiation | |
|
[Same as Above] | |
|
System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host. |
[Same as Above] |
|
[Same as Above] | |
| RDP Error: The Remote Server Returned an Error: (404) Not Found. | The error indicates the resource was not found. Most commonly, the Username format in the app config is incorrect, or the login URL is inaccurate. |
| RDP Error: The remote server returned an error: (403) Forbidden | The error indicates the credentials provided are not authorized. This usually indicates the user is not assigned to the app or does not have an MFA setup. |
| RDP Error: The Remote Server Returned an Error: (401) Unauthorized. | The error indicated the login was unauthorized. Most commonly, an incorrect username or password, but there are many known reasons for a 401. |
| RDP Error: Unable to CopySerializedCred hr=80004001 rdpSession=1 | The error found in the OktaCP.log - Error indicates an issue with the credential provider integration with the OS, usually due to multiple credential providers installed. |
| MFA for RDP Server Showing Blank MFA Prompt | The error indicates internet connectivity issues from the widget to the Okta tenant. |
| RDP Error: The encryption algorithm 'HS256' requires a key size of at least '128' bits. | This error indicates that the client secret entered during installation was incorrect. |
| RDP Error: Content was blocked because it was not signed by a valid security certificate. | The error indicates the server is unable to validate Okta's public security certificate. Usually caused by improperly configured trusted CAs or CRLs on the server. |
| Windows Credential Provider (RDP) Installation Error: Error 1001. Failed to validate configuration. ClientID or ClientSecret are not valid |
This error is returned during both GUI and CLI installations when attempting to install the Windows Credential Provider (RDP) agent. |
