Okta MFA Credential Provider for Windows
Okta MFA Credential Provider for Windows enables strong authentication using multifactor authentication (MFA) with Remote Desktop Protocol (RDP) clients.
You can prompt users for MFA when they use an RDP client to sign in to domain-joined Windows computers and servers.
Users can't enroll in an authenticator during an RDP sign-in. Advise them to enroll in authenticators before they use RDP to sign in to a Windows server.
Users can only enroll Okta Verify on one device.
Selecting Any enrolled authenticator used for MFA/SSO for Additional verification in a password policy rule disables the RDP password.
The Sign-In Widget (third generation) doesn’t support multifactor authentication for third-party agents.
Before you begin
These are the requirements for installing Okta MFA Credential Provider for Windows:
- The Okta MFA Credential Provider for Windows doesn't support a discrete proxy configuration. It obeys proxy configurations at the system level.
- The Windows machine used for installation must have an active internet connection with port 443 open.
- Verify that TLS version 1.2 is installed.
- Use an account with administrative rights to install Okta MFA Credential Provider Agent for Windows, Visual C++, and the .NET Framework. See Okta MFA Credential Provider for Windows Version History to find which version of .NET you should use.
- Configure all MFA authenticators that you want to use for authentication.
- Configure an authenticator enrollment policy that includes the required MFA authenticators.
- Configure an optional group that contains the users allowed to access the Windows Server using RDP.
- Configure the Microsoft RDP (MFA) app.
Supported operating systems
You can install the Okta MFA Credential Provider for Windows agent on the following platforms:
- Windows Server 2022 (version 1.3.0 and above of the agent)
- Windows Server 2019 (version 1.3.0 and above of the agent)
- Windows Server 2016
- Windows Server 2012
- Windows Server 2012 R2
Supported authenticators
See Multifactor authentication for a list of supported authenticators.
Okta MFA Credential Provider for Windows doesn’t support FIDO2 (WebAuthn).
Typical workflow
|
Task |
Description |
|---|---|
| Download the agent | Download the Okta MFA Credential Provider for Windows Agent from the MFA Plugins and Agents section of the page in your Okta org. Download the agent to the machine that you want to install it onto. |
| Configure your Okta org | Configure your Okta org before you install the Okta MFA Credential Provider for Windows Agent. |
| Assign users | Assign the Microsoft (MFA) app to all users who sign in to a machine with the Okta MFA Credential Provider for Windows Agent installed. |
| Install the agent
|
Okta MFA Credential Provider for Windows supports standard and silent installations. |
| Test and verify | Verify the end-user sign-in process. |
| Optional. Configure a proxy server. | |
| Troubleshoot | Troubleshoot the agent. |