<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jXySAJOkta Classic EngineMulti-Factor AuthenticationAnswered2024-04-30T09:18:25.000Z2018-02-12T19:41:57.000Z2018-08-12T04:14:11.000Z

AnilA.94109 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
MFA for RDP Sessions -- Can this feature be used for only few servers in the domain ? Any known Issues so far ?
Hello,

 

I am trying to implement " Microsoft RDP (MFA) app / OKTA Windows Credential Provider Agent " in our domain had the below question on it.

 

I would really appericiate if anyone can help me by answering this questions.

 

Our prod server has around 10 remote servers and 1 of this servers is the Critical Server. ( Example Server 1 - Server 9 = Normal Servers, Server 10 = Critical Server that needs MFA ). 

We want to use Microsoft RDP (MFA) app / OKTA Windows Credential Provider Agent to secure this 1/10 server in the domain by enforcing the people with provide MFA during the logins. 

 

Example : User "Pete" has access to all 10 servers in the same the same domain. 

Use Case 1 : Pete tries to login into server 1 to server 9 -- NO MFA required. 

User Case 2 : Pete Kumar tries to login into server 10 -- Okta should prompt for MFA. 

 

Note : All 10 servers are on same domain. 

 

Is this scenario possible via " Microsoft RDP (MFA) app / OKTA Windows Credential Provider Agent " 

 

Also are there any known limitations / Issues  found so far with this app ?

 

Please let me know.
  • 4 answers
  • 1.38K views

  • paul.auer1.4793088256484656E12 (Okta, Inc.)

    Thank you for contacting Okta Support.

     

    Your scenario is achievable; the only thing that you have to do is to install the OKTA Windows Credential Provider Agent only on the critical server, the one that needs MFA. You can find the proper way to do so here: https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm

     

    Regarding known issues, there aren't any and the only limitation that I have found would be that the Sign On policy that governs the RDP MFA is the RDP MFA app Sign On policy, not the tenant level one.

     

    Thank you,

    Paul Auer

    Technical Support Engineer | Okta

    Expand Post
    Selected as Best

  • paul.auer1.4793088256484656E12 (Okta, Inc.)

    Thank you for contacting Okta Support.

     

    Your scenario is achievable; the only thing that you have to do is to install the OKTA Windows Credential Provider Agent only on the critical server, the one that needs MFA. You can find the proper way to do so here: https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.htm

     

    Regarding known issues, there aren't any and the only limitation that I have found would be that the Sign On policy that governs the RDP MFA is the RDP MFA app Sign On policy, not the tenant level one.

     

    Thank you,

    Paul Auer

    Technical Support Engineer | Okta

    Expand Post
    Selected as Best

  • j5v7c (j5v7c)

    Hello,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    ​If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

     

    ​Dylann Fezeu

    Okta Help Center Team
    Expand Post

  • AnilA.94109 (Customer)

    Hello,

     

    After working on implementing this feature, I found the below:-

    Hope this helps the community  to know about this points in advance if they are planning to implement this feature.

     

    1) MFA for RDP app works perfect when the policies are configured right.

    2) App username in Okta should exactly match to the windows login username, Else system won't allow the login .

      Example :-

    If the app username is   "user1@domain.com " and you are trying to login into windows with  " user1", In this case, the login won't be successfull, So it has to be configured accordingly. 

     

    3) There is no backup mode for this setup,  You would loose the access to the machine if any of the below happens. :- 

     

    1) Client deployed on the virtual machine gets corrupted. 

    2) Configured Okta Env is not accessible from the client. 

    3) Someone accidentally deletes the MFA aap on Okta 

     

    etc.. 

     

    IN all the above cases we would loose the access to the machine permanently and would have to format the machine to get hold of it. 

     

    4)  " Okta Windows Credential Provider " can be uninstalled from the machine by any windows administrator, No specific admin can be mentioned for this app. ( It would be nice to have this control like it works for antivirus apps etc, Where only app admin can uninstall not the windows admin. ).

     

    5) There is no way to know the agent health from Okta console.

     

    6)  The agent has to be manually installed/configured on all the machines / or some external tool has to be used if you have too many machines and want to automate it.

     

    Hope that helps.

     

    Regards,

    Anil Ag
    Expand Post
This question is closed.
Loading
MFA for RDP Sessions -- Can this feature be used for only few servers in the domain ? Any known Issues so far ?