MFA for Windows Credential Provider

The Okta Credential Provider for Windows enables strong authentication using MFA with Remote Desktop Protocol (RDP) clients. Using the Okta Credential Provider for Windows, RDP clients (Windows workstations and servers) are prompted for MFA when accessing supported domain joined Windows machines and servers.

Topics

Before you begin

Requirements for installing the Okta Credential Provider for Windows:

  • Proxy Configuration: The Okta Credential Provider for Windows does not support a discrete proxy configuration but will obey system level proxy configurations. To understand management of proxies on Windows machines, refer to docs.microsoft.com.
  • The Windows machine used for installation must have an active internet connection with port 443 open.
  • The installing account must have administrative rights to install the Okta Windows Credential Provider Agent, Visual C++ Redistributable and .NET 4.0+.
  • Inline enrollment is not supported.
    End users cannot enroll an authenticator during an RDP sign in. End users must have enrolled their MFA authenticators previously. End users without an enrolled authenticator receive an authentication failed response from Okta when attempting to sign into a Windows server using RDP.

Limitations

Please note the following limitations:

  • Only a single Okta Verify device should be enrolled. Enrolling second and subsequent Okta Verify devices may cause undefined or unexpected behavior.
  • When defining password policy rules, if Any enrolled authenticator used for MFA/SSO is selected for Additional verification, RDP password is disabled and no longer functions.
  • TLS 1.2 is required. For information on enabling TLS 1.2 in .NET and in Microsoft Internet Explorer browsers, see Okta ends browser support for TLS 1.1.

Supported OS

The Okta Credential Provider for Windows agent can be installed on the following:

  • Windows Server 2019 - v1.3.0 and later.
  • Windows Server 2016
  • Windows Server 2012
  • Windows Server 2012 R2

Supported authenticators

The following MFA authenticators are supported:

MFA authenticator
Email
Google Authenticator
On-Prem MFA (RSA)
Security Question

Okta Verify

Okta Verify supports Send push automatically and Do not Challenge for the next X hours options. These options are managed locally via browser cookies. If the browser is configured to automatically clear cache and cookies on window close then these settings would need to be set again anytime a new browser window is opened or any time cache and cookies are cleared.

Phone (SMS and Voice call)
Okta Credential Provider for Windows Agent supports password reset when configured for SMS/Voice call. See also Self-service account recovery

Typical workflow

Task

Description

Download the agent

Download the Okta Credential Provider for Windows Agent from the Settings > Downloads page your in Okta org. The agent is found in the MFA Plugins and Agents section. Ensure the agent is downloaded to the machine where it will be installed.

Configure Okta org

Before installing the Okta credential provider for Windows, your org must have configured: Authenticator enrollment policy including Required MFA authenticators, an appropriate [optional] group with the users that will access the Windows Server using RDP, and have added and configured the Microsoft RDP (MFA) app

Assign users

All users who login to any machine that has the Credential Provider installed will need to be assigned to the Microsoft RDP (MFA) app.

Install the agent

Okta Credential Provider for Windows supports standard and silent install. Install the agent as described.

Test and verify

Complete the installation by verifying the end-user sign in process.

Configure system account proxy

Optionally, configure a proxy server.

Troubleshoot
  • If required, troubleshoot the agent.