This article addresses how to resolve an RDP Error that happens in the Okta Sign-In Widget during login, showing:
Content was blocked because it was not signed by a valid security certificate.
- Okta MFA Credential Provider for Windows
- Multi-Factor Authentication (MFA)
- Remote Desktop Protocol (RDP)
- Public Key Infrastructure (PKI)
This issue can be caused by Certificate Revocation List configuration, or Domain blocking configuration on the Windows Server.
This issue can be caused by a Windows Server Certificate Revocation List (CRL) or Domain Blocking configuration.
The solution may include one or a combination of:
A. Allow access to Okta IP addresses
Allow Okta IPs and domains on the server. Reference Okta's manual chapter on Allow access to Okta IP addresses.
| Ports | The Okta service uses SSL/TLS for all communication. If the policy requires a port number, port 443 must be allow-listed for the IP addresses provided in this document, unless otherwise noted. |
| Required Okta Domains | If the company allow-list includes domains, add the following domains to the list of allowed domains:
|
| Certificate revocation troubleshooting | Various problems can arise when attempting to revoke a certificate. For example, some clients fail to connect to SSL/TLS endpoints when they are unable to reach a revocation server. If there are any troubles with certificate revocation, ensure that the following domain names are allow listed under port 80: |
B. CRL checks could be completely disabled on the server (not recommended)
There is an option for Check for server Certificate Revocation in Internet Options - This could be unchecked as a workaround.
Alternatively or additionally, there is a GPO config for this setting that may also be disabled as a workaround:
NOTE:
- If unchecking/disabling "Check for server certificate revocation" is not an option for security purposes and the company's security requirements, please capture RADIUS Packets using Wireshark and submit a ticket to Okta Support.
