This article contains the troubleshooting step for Desktop MFA with Self-Service Password Reset.

When setting up Desktop MFA with "SelfServicePasswordResetEnabled" enabled in the registry parameter on a Windows client machine. After clicking the Forgot Password button, an error occurred below. However, resetting the password from the Okta side with the NEW password works fine.
 

This is applicable when Active Directory is configured.

• Okta Identity Engine (OIE)
• Desktop MFA for Windows
• Okta Verify
• MFA

Case Scenario

UPN: John.Smith
AD SAM: abc12345

• The username that the end user is filling out on the login screen (abc12345 in the example) needs to match the Okta username. If it does not, then Self-Service Password Reset (SSPR) will not work. This is a known limitation and there are no workarounds until Okta addresses this username-matching problem.
• If the Okta username doesn't match either the SamAccountName (SAM) or UserPrincipalName (UPN), self-service password reset isn't available. See Self-service password reset

Step 1: Check the Desktop MFA Logs

Desktop MFA logs are stored locally on the user's desktop computer at: C:\Windows\System32\config\systemprofile\AppData\Local\Okta Device Access\Logs

Sample Errors in Okta Desktop MFA Logs

[WRN] [ 🟠 ] [DirectAuthPasswordResetOvPushChallenge::InitChallengeAsync] Token response:TokenType: Channel: Interval:0 Error:invalid_grant ErrorDescription:The 'login_hint' does not uniquely identify a user. HttpStatusCode:BadRequest RequestId=XXXXXXXXXXXXXXXbde255xxx

Step 2: Check if JIT is enabled on the tenant. To verify:

1. Go to Directory > Directory Integrations > Select the Directory Name > Go to Provisioning tab > Select To Okta > Enable JIT Provisioning (Create and update users on login).

2. Go to Customizations > Other > look for Just In Time Provisioning and enable it.

Step 3: Check the Password Policy under Authentication Providers: "Active Directory"

• This is to ensure that end users can reset their Passwords.
• Go to Security > Authenticators > under Setup, select Actions and Edit for Passwords > go to the Active Directory Policy and under Rule > enable Password Reset.

Step 4: Check the Registry Entry SelfServicePasswordResetEnabled if it is enabled.

Step 5: Check the End User's Profile 

1. Check the end user's profile by going to Directory.
2. Search for the account.
3. Go to the Profile tab.
4. Under Attributes, check what Username is shown.

 
 

Step 6: Check Desktop MFA's App username format

1. Go to Applications twice.

2. Search for Desktop MFA.
3. Go to the Authentication tab.
4. Select Edit.
5. Under Credentials Details, select the dropdown menu for Application Username Format and choose the format that matches the end User's Profile. For example, Okta Username (John.Smith@domain.com).
6. Then Save.

If the above steps have been configured correctly, go to the next step. 

Step 7: Log in to Desktop MFA

1. Enter Username.
2. Select Forgot Password.

3. Click OK to continue accessing the computer.

NOTE: Create a user account that will match the Okta Username to either the SamAccountName (SAM) or UserPrincipalName (UPN). 
 

Related References

• Windows Desktop MFA user experience
• Self-service password reset
• Configure Desktop MFA policies