This article addresses an error that can occur with the Okta MFA Credential Provider for Windows integration. Commonly observed after installation, but possibly presenting due to network environment changes, the Credential Provider logs the following error when attempting to log in: 

exception thrown is = System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.


For assistance locating and tracing logs for the Okta Credential Provider, see Troubleshooting Okta MFA Credential Provider RDP Errors.

• Multi-factor Authentication (MFA)
• Okta MFA Credential Provider for Windows

To resolve this issue, Okta Administrators should disable SSL Pinning, which is enabled by default. This can be accomplished by modifying the Okta MFA Credential Provider for Windows Agent Configuration file. Instructions for finding and manually modifying the configuration file can be found in Install the Okta Credential Provider for Windows (point 5 of the Silent installation)​​​​​​.

Within the rdp_app_config.json configuration file, find or add an entry for SslPinningEnabled and set it to false:

 

Once the change is made, save the rdp_app_config.json configuration file. This modification can also be configured in silent and mass deployments, referencing Install the Okta Credential Provider for Windows.