<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Verify Enrollment on Windows Fails With a Sign-In URL Is Not Secure or Generic Enrollment Error
May 14, 2026
Multi-Factor Authentication
Okta Identity Engine
Overview

When users attempt to enroll in Okta Verify for Windows, SSL inspection by a network proxy causes the process to fail. Bypassing the proxy or excluding Okta domains from SSL inspection resolves the issue. During enrollment, Okta Verify generates one of the following error messages:

 

The sign-in URL is not secure

 

Generic enrollment error

 

Additionally, the Event Viewer logs display the following errors:

 

Extensions.WriteException: An error occurred when getting the organization status. Exception: An error occurred while sending the request.: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.: The remote certificate is invalid according to the validation procedure.

 

[CertificatePinningValidator.ValidateConnection]: Certificate domain .oktapreview.com/.okta.com did not match pinned keys/certs, validation failed.

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify Desktop
  • Multi-Factor Authentication (MFA)
Cause

For security reasons, Okta prevents the inspection or modification of traffic between Okta Verify and Okta endpoints. Desktop or network components, such as proxies, often inspect SSL certificates. Because FastPass is phishing-resistant, the feature fails when a man-in-the-middle component inspects the Transport Layer Security (TLS) traffic.

Solution

How are SSL proxy environments configured to allow Okta Verify traffic?

 

Exclude the organization's default Okta domains from inspection and verify the configuration to allow Okta Verify traffic.

  1. Exclude the default Okta domains from inspection. Okta domains typically use *.okta.com or *.oktapreview.com.
  2. Turn off the proxy on one or more workstations, or bypass the network proxy.
  3. Change the policy to prevent or account for SSL inspection for *.okta.com for production environments, *.oktapreview.com for sandbox environments, or the custom domain if the test resolves the issue.

 

How is the Windows proxy disabled in Microsoft Edge?

 

Disable the system proxy settings in Microsoft Edge to prevent interference with Okta Verify.

  1. Navigate to Settings, and then select System and performance.
  2. Open the computer's proxy settings within Microsoft Edge.
  3. Toggle Use a proxy server to off under the Manual proxy setup section.
  4. Select Save.

 

Related References

Recommended content

Still looking for help?
Loading
Okta Verify Enrollment on Windows Fails With a Sign-In URL Is Not Secure or Generic Enrollment Error