Troubleshoot

Troubleshooting

  1. If you see the MFA Bypass screen shown below when signing in, verify in Okta that the user is included in an MFA policy. ClosedScreenshot

    MFA Bypass screen

    Note: An App-SignOn Policy is the only policy that is relevant to the Microsoft RDP App.

  2. If you see the Display Failed screen shown below when signing in, verify the following: ClosedScreenshot

    • The client ID, the client secret, and the Okta URL are configured correctly.
    • The username entered into the Windows sign in matches the username in Okta.

  3. If you cannot RDP into a server, verify that it is setup to accept remote connections in the System Properties screen, as shown below. ClosedScreenshot

    System Properties screen

     

  4. If you see System.Net.WebException similar to that shown below:
    System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.
    . . . 
    System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. 
    . . . 
    System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host.
    Cause is an older version of TLS, Required version is TLS 1.2.
    Open a PowerShell terminal as administrator and execute the following script:
    $is64bit = [IntPtr]::Size * 8 -eq 64
    Write-Host "Is 64-bit script: $is64bit"
    #helper function to check for if 0x800 bit is set
    function checkTls12Bit([Int] $regValue) {
        return ($regValue -band 0x800) -ne 0x800
    }
    
    function setRegKeyToBitValue([string] $regBranch, [string] $regKey) {
        $current = Get-ItemProperty -Path $regBranch
        $regValue = $current.$regKey
        if ($regValue -eq $null -or (checkTls12Bit $regValue) ) {
            if ($regValue -eq $null) {
    	        $regValue = 0x800
    	     } else	{
                 $regValue = $regValue -bor 0x800
     	     }
    
    	     $p = New-ItemProperty $regBranch -Name $regKey -PropertyType DWord -Value $regValue -ErrorAction Stop -Force
    	     Write-Host "Updated $regBranch\$regKey value to $regValue" 
    	     return $true
    	 }
    	Write-Host "$regBranch\$regKey value is $regValue. No change."
    	return $false
    }
    
    function setRegKeyToValueOfOne([string] $regBranch, [string] $regKey) {
        $current = Get-ItemProperty -Path $regBranch
    	if ($current.$regKey -ne 1) {
    		$p = New-ItemProperty $regBranch -Name $regKey -PropertyType DWord -Value 1 -ErrorAction Stop -Force
    		Write-Host "Updated $regBranch\$regKey value to 1"
    		return $true
    	 }
    	Write-Host "$regBranch\$regKey value is 1. No change."
    	return $false
    }
    
    #setup .net tls settings
    function setupTls4NET([boolean]$is64bit, [string]$regBranch, [string]$reg32bitBranch) {
    # https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
        $updated = setRegKeyToValueOfOne $regBranch "SchUseStrongCrypto"
    	$updated = (setRegKeyToValueOfOne $regBranch "SystemDefaultTlsVersions") -or $updated
    
    	if ($is64bit) {
        	$updated = (setRegKeyToValueOfOne $reg32bitBranch "SchUseStrongCrypto") -or $updated
    		$updated = (setRegKeyToValueOfOne $reg32bitBranch "SystemDefaultTlsVersions") -or $updated
    	}
    
    	return $updated
    }							
    # https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed
    
    $version = Get-ItemProperty -Path "HKLM:\Software\Microsoft\NET Framework Setup\NDP\v4\Full" -Name Release
    # 394254 - .NET Framework 4.6.1, which is the current target of the installer
    if ($version.Release -ge 394254)  {
        $ev = [environment]::Version
    	$v = "v" + $ev.Major + "." + $ev.Minor + "." + $ev.Build
    	$updated = setupTls4NET $is64bit "HKLM:\SOFTWARE\Microsoft\.NETFramework\$v" "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\$v"
    # https://support.microsoft.com/en-ca/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
    
    	$updated = (setRegKeyToBitValue "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" "DefaultSecureProtocols") -or $updated
    	$updated = (setRegKeyToBitValue "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" "SecureProtocols") -or $updated
    
    	# updated the 32-bit branches if we are on 64-bit machine
    	if ($is64bit) {
    		$updated = (setRegKeyToBitValue "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" "DefaultSecureProtocols") -or $updated
    		$updated = (setRegKeyToBitValue "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings" "SecureProtocols") -or $updated
    	}
    
    	# current user settings
    	$updated = (setRegKeyToBitValue "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" "SecureProtocols") -or $updated
    
    	# local system account
    	$userSid = ".DEFAULT"
    	$updated = (setRegKeyToBitValue "Registry::HKEY_USERS\$userSid\Software\Microsoft\Windows\CurrentVersion\Internet Settings" "SecureProtocols") -or $updated
    
    	if ($updated) {
    		Write-Host "Done. Updated required settings."
    	}
    	else
    	{
    	    Write-Host "Done. No updates are required."
    	}
    }
    							else 
    							{
    							Write-Host "No changes were made. Your version of .NET Framework is earlier version than 4.6.1, please upgrade."
    }