JacobR.86755 (Customer) asked a question.
I am trying to set up Microsoft RDP (MFA) for a Microsoft 2012 R2 server but every time I try to log in, I see the following in the Okta logs:
[4/15/2019 3:13:54 PM TestRDO]-InvalidOperationException thrown System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
Hello,
George here with Okta's Customer Support Team, thank you for reaching out to us.
In this cases what you can try is:
Verify that the username is matching on both the RDP app instance in Okta and On Prem
Please reconfigure the RDP application, as per the: https://help.okta.com/en/prod/Content/Topics/Security/proc-mfa-win-creds-rdp.html
Also make sure that, for the Okta OpenID application you have created, the assigned username is the RDP Application login username, and that users are enrolled in MFA prior to using it.
The only extra step I had to take on our 2012R2 server was to add the SchUseStrongCrypto entry in the registry to enable TLS 1.2 in .Net. It's covered under the "Enable TLS 1.2 on .NET" link in this article: https://help.okta.com/en/prod/Content/Topics/Miscellaneous/okta-ends-browser-support-for-TLS-1.1.htm