<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Unable to Enroll Okta Verify on Windows - "The sign-in URL is not secure" or "Generic enrollment error"
Jul 22, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

When users attempt to enroll in Okta Verify for Windows, they get one of the following error messages:

  • The sign-in URL is not secure
  • Generic enrollment error

 

Event Viewer will show similar errors, such as:

  • Extensions.WriteException: An error occurred when getting the organization status. Exception: An error occurred while sending the request.: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.: The remote certificate is invalid according to the validation procedure.
  • [CertificatePinningValidator.ValidateConnection]: Certificate domain .oktapreview.com/.okta.com did not match pinned keys/certs, validation failed.
Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify Desktop
  • Multi-Factor Authentication (MFA)
Cause

The errors are caused by the following issues:

  • For security reasons, Okta does not allow inspection or modification of traffic between Okta Verify and its endpoints.
  • Zscaler, Netskope, or other desktop or network components (proxies) may be set to inspect SSL Certificates.
  • FastPass is phishing-resistant, so it will not work properly if a man-in-the-middle (for example, products like Zscaler, Netskope, etc.) inspects the TLS traffic.
Solution

Solution 1

In an SSL proxy environment:
1. Exclude the organization's default Okta domains from inspection. Usually, Okta domains are *.okta.com or *.oktapreview.com. For a complete list of Okta domains, see Allow access to Okta IP addresses.

2. Turn off Zscaler or Neskope on one or more workstations, or bypass the network proxy. If that resolves the issue, change the policy to prevent, or account for SSL inspection for *.okta.com (for production tenants )/*.oktapreview.com (for sandbox tenants) or the custom domain if used.

 

Solution 2

Disable the browser proxy.

For example, in the Microsoft Edge browser: Access the Windows proxy settings and turn it off there, as Edge uses the system's proxy settings. Navigate to Settings > System and Performance > Open the computer's proxy settings within Edge. Then, under Manual proxy setup, toggle Use a proxy server to off and click save,

 

 

Related References

Recommended content

Still looking for help?
Loading
Unable to Enroll Okta Verify on Windows - "The sign-in URL is not secure" or "Generic enrollment error"