This article reviews the RDP error below, found in the OktaWidget.log:

The remote server returned an error: (403) Forbidden

This error initially presents as a generic message in the UI when attempting to log in:

Multi Factor Authentication Failed
 

If unaware of how to access the OktaWidget.log file to troubleshoot errors, please refer to the parent article Troubleshooting Okta MFA Credential Provider RDP Errors.

The full error usually appears as:

• Okta MFA Credential Provider
• Remote Desktop Protocol (RDP)

The HTTP status code 403 (Forbidden) indicates that the server understood the request but refuses to fulfill it. For authentication, this means that credentials were provided in the request but are considered insufficient to grant access.

There are a couple of known reasons for this error message occurring in the OktaWidget.log, including:

• The user does not have MFA configured.
  • If Multi-Factor Authentication is required on the RDP Application, as it is by default, but the end-user has not enrolled in a factor.
•  The Enrollment Policy specifies the server in a Network zone, which results in a deny condition.  
  • If Enrollment Policies specify Network Zones and the server is connecting to Okta from an IP address, this results in a deny, or can result in logins being denied and logged as The remote server returned an error: (403) Forbidden.
  • During login, when MFA is required, Okta will query the Enrollment Policy configuration for which authenticators should be available based on the context of the user, which can be configured to trigger based on network zones. 
• The user is not assigned to the RDP app.

The user does not have MFA configured

This situation occurs commonly when a new user attempts to access the server via RDP or has to log into their Okta Dashboard and enroll an authenticator for MFA.

If they are not automatically prompted to enroll at the dashboard login, they may enroll by accessing account settings from the dashboard:

1. Log in to the Okta Dashboard.
2. If MFA is required, set up an MFA factor when logging in.
3. If MFA is not required to access the dashboard, click the user name in the upper right corner and choose Settings.
4. From the account settings page, find Security Methods and set up an appropriate authenticator

Enrollment Policy specifies server in a Network zones which results in a deny condition  

Reference the IP address in the login event.

NOTE: If this is the root cause, the Primary Authentication will show success in the system logs, and it is necessary to reference the IP address and Zone:

As configured, if IP [IP Address.253] is not listed in a zone, the login will be denied with an HTTP 403.

 

As configured above, the IP address would need to be listed in a network zone to be allowed in the enrollment policy rule. Alternatively, the enrollment policy could be adjusted to remove network zones. 
 

The user is not assigned to the RDP app

Make sure the user attempting access is assigned to the RDP App from the Okta Admin Console:

1. Log in to the Okta Admin Console.
2. Navigate to Applications > Applications. Select the RDP App Microsoft RDP (MFA).
3. Click the Assignments tab, click the Assign button, and choose to assign the app to the correct person or group.

Related References

• Troubleshooting Okta MFA Credential Provider RDP Errors
• Okta MFA Credential Provider for Windows
• HTTP status code 403 (Forbidden)