This article addresses the following RDP Error found in the OktaWidget log.

"The encryption algorithm 'HS256' requires a key size of at least '128' bits."
 

This error initially presents as a generic Multi Factor Authentication Failed message in the User Interface (UI) when attempting to log in:

Please refer to the Troubleshooting Okta MFA Credential Provider RDP Errors article for instructions on accessing the OktaWidget.log file to troubleshoot errors. 

The full error usually appears as:

Exception thrown System.FormatExceptiondata = System.FormatException: Invalid length for a Base-64 char array or string.<CR><LF>   at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)<CR><LF>   at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)<CR><LF>   at System.Convert.FromBase64String(String s)<CR><LF>   at OktaWidget.SecurityService.unencryptData(String encryptedText)<CR><LF>   at OktaWidget.JwtService.MintToken(String username)<CR><LF>   at OktaWidget.JwtService.GetStateTokenUsingJwt(String username)<CR><LF>   at OktaWidget.OktaWidgetForm..ctor(String username, Int64 parent, Int64 widgetFlow)<CR><LF>   at OktaWidget.OktaWidgetClass.displayWidget(Int64 parent, String username, Int64 flow)

 

• Okta MFA Credential Provider
• Remote Desktop Protocol (RDP)

This error occurs when the client secret is entered incorrectly while installing the Okta Credential Provider or is edited in the rdp_app_config.json file.

The solution to this error is to Uninstall and reinstall the Okta Windows Credential Provider by following the manual chapter "Install the Okta Credential Provider for Windows."

Uninstall the Okta Windows Credential Provider:

1. Make a backup copy of the install directory C:\Program Files\Okta\Okta Windows Credential Provider.
2. Navigate to Control Panel, and select Programs and Features or Search add/remove programs from the Start menu.
   • Uninstall as usual.
3. After uninstalling, double-check the directory C:\Program Files\Okta\Okta Windows Credential Provider and make sure this directory is removed. 

Reinstall the Okta Windows Credential provider following the guide: Okta Credential Provider for Windows and ensure the information entered during the installation is 100% accurate (Step 4 below).

1. Go to the location where the installer was downloaded.
2. Extract the files from the .zip archive.
3. Run setup.exe as an administrator and follow the prompts. Install or repair the Microsoft Visual C++ Runtime libraries as required.

4. On the App Configuration dialog, enter a client ID, client secret, and the Okta URL. After entering the information, click Next.

   Get these values from the Microsoft RDP (MFA) app in Okta. Select the General tab > scroll to the Client Credentials section to find the client ID and the client secret. The Okta URL is the URL the org uses to reach Okta (for example, https://<orgName>.okta.com).

5. Click Next and Close to complete the installation.
6. In the second App Configuration dialog, select from the following options:
   • Filter Credential Provider: This option provides a workaround for servers with multiple credential providers installed. If selected, the Okta MFA Credential Provider is the only method used to apply MFA to RDP connections. Unauthenticated users cannot select which credential provider to use.
   • RDP Only: By default, the installed credential provider inserts Okta MFA between an RDP and a local authentication event. Selecting this option removes Okta MFA from local (interactive) logons.
   • Display Okta password reset link (self-service): Select this option to add a feature to the Windows sign-on screen that enables end users to reset their password through Okta.

7. Re-test the integration.

Related References

• Troubleshooting Okta MFA Credential Provider RDP Errors
• Okta Credential Provider for Windows