Server locked out on RDP when WCP has no internet

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D50Z00008S5nS9SAJOkta Classic EngineAdministrationAnswered2021-09-02T16:48:18.000Z2018-10-19T04:21:28.000Z2018-10-25T06:00:09.000Z

CallumS.26279 (Customer) asked a question.

October 19, 2018 at 4:21 AM

Server locked out on RDP when WCP has no internet

Good Afternoon,

I have a question regarding the Windows Credential Provider for Okta MFA. After successfully getting the MFA to work for Windows RDP, a thought came to my mind – what happens when the server in question does not have internet access?

As far as I am concerned, the WCP takes control of the winlogon sequence to force users into providing their MFA – which is what we want. However, after further testing, we noticed that if the server is not connected to the internet, the WCP point blank fails on RDP. Which is not good because it basically renders the server inaccessible to users, unless we access the local console. (But that is not always possible, especially with Microsoft Azure)

Are there ways in which to circumvent the WCP, OR provide backup authentication?

Thanks,

Callum

Top Rated Answers

matt.maher (Presales - Americas Commercial, Emerging East)
8 years ago
Hi Callum, local authentication can still occur with or without internet access. You can adjust the Okta MFA Agent config file and set the "InternetFailOpenOption" to "true" access will be allowed. Here is an example Okta MFA agent config file.
{
“Url”: “https://orgname.okta.com“,
“ClientId”: “xxxxxxxxxxxxxxxxxxxxx”,
“ClientSecret”: “xxxxx”,
“FilterCredentialProvider”: true,
“InternetFailOpenOption”: true,
“EnforceTimeoutVersionAgnostic”: true,
*“ErrorTimeOutInSeconds”: true,*
“WidgetTimeOutInSeconds”: 30,
*“ErrorTimeOutInSeconds”: 30,*
“RdpOnly”: false
}
Expand Post
Selected as Best

All Answers

matt.maher (Presales - Americas Commercial, Emerging East)
8 years ago
Hi Callum, local authentication can still occur with or without internet access. You can adjust the Okta MFA Agent config file and set the "InternetFailOpenOption" to "true" access will be allowed. Here is an example Okta MFA agent config file.
{
“Url”: “https://orgname.okta.com“,
“ClientId”: “xxxxxxxxxxxxxxxxxxxxx”,
“ClientSecret”: “xxxxx”,
“FilterCredentialProvider”: true,
“InternetFailOpenOption”: true,
“EnforceTimeoutVersionAgnostic”: true,
*“ErrorTimeOutInSeconds”: true,*
“WidgetTimeOutInSeconds”: 30,
*“ErrorTimeOutInSeconds”: 30,*
“RdpOnly”: false
}
Expand Post
Selected as Best
mike.davie1.5312945692819849E12 (Customer First Programs)
8 years ago
Hello Callum,

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer."

Thank you,
Mike Davie
Okta Help Center

Expand Post
CallumS.26279 (Customer)
8 years ago
Hello Matt,

Worked like a charm - thank you very much!

Definitely marking this as a best answer.

Regards,
Callum
Expand Post

This question is closed.

Recommended content

Forum

Instance locked out after AD move to new server with same network settings

Forum

Microsoft RDP MFA on a Windows 2019 server App 404

Forum

RDP Failing with ERRCONNECT_TLS_CONNECT_FAILED

Forum

EnforceTimeoutVersionAgnostic

Loading

Server locked out on RDP when WCP has no internet