Okta MFA Credential Provider for Windows

Okta MFA Credential Provider for Windows enables strong authentication using MFA with Remote Desktop Protocol (RDP) clients. Using Okta MFA Credential Provider for Windows, RDP clients (Windows workstations and servers) are prompted for MFA when accessing supported domain joined Windows machines and servers.

Before you begin

Requirements for installing the Okta MFA Credential Provider for Windows:

  • Proxy configuration: The Okta MFA Credential Provider for Windows doesn't support a discrete proxy configuration. It does obey proxy configurations at the system level.
  • The Windows machine used for installation must have an active internet connection with port 443 open.
  • The installing account must have administrative rights to install the Okta MFA Credential Provider Agent for Windows agent, Visual C++ Redistributable, and .NET 4.0+.
  • Inline enrollment is not supported. End users can't enroll a factor during an RDP sign in. End users must enroll their MFA authenticators before attempting to use RDP to sign in to a Windows server. Otherwise, sign in attempts using RDP result in an authentication failed response from Okta.

Limitations

Please note the following limitations:

  • TLS 1.2 is required.

Supported Operating Systems

The Okta MFA Credential Provider for Windows agent can be installed on the following:

  • Windows Server 2022 (version 1.3.0 and above of the agent)
  • Windows Server 2019 (version 1.3.0 and above of the agent)
  • Windows Server 2016
  • Windows Server 2012
  • Windows Server 2012 R2

Supported factors

See MFA factor configuration for a list of supported MFA factors. FIDO2 (WebAuthn) is not supported on Okta MFA Credential Provider for Windows.

Typical workflow

Task

Description

Download the agent Download the Okta MFA Credential Provider for Windows Agent from the SettingsDownloads page your in Okta org. The agent is found in the MFA Plugins and Agents section. Download the agent to the machine that you want to install it onto.
Configure Okta org

Before installing the agent, your org must have configured:

  • Configured required MFA factors

  • Configured an optional group that contains the users allowed to access the Windows Server using RDP

  • Added and configured the Microsoft RDP (MFA) app.

Assign users All users who sign in to any machines that have Okta MFA Credential Provider for Windows installed must to be assigned to the Microsoft RDP (MFA) app.
Install the agent
Okta MFA Credential Provider for Windows supports standard and silent install. Install the agent as described.
Test and verify Complete the installation by verifying the end-user sign in process.

Configure a system proxy account

Optional. Configure a proxy server.
Troubleshoot If required, troubleshoot the agent.