Troubleshooting

Incorrect CORS installation

Cause: There was an error sending the request when logging into ADFS.

Solution: Ensure that you have enabled CORS in your Okta org.

Incorrect Farm installation

Cause: During installation you encounter error 1001 PS0033 "cmdlet cannot be executed from a secondary server in a local database farm.

Solution: If you encounter this error, closely follow the instructions in the Farm Installation addendum, especially the steps that discuss WID (windows internal database) and promoting each server to be primary.

Incompatible proxy

Cause: During a sign-in attempt, after MFA, users received message unable to connect.

The ADFS plugin can use a proxy to interact with Okta. By default the ADFS agent uses the WinHTTP proxy. Some customers may be using the IE proxy.

Solution: Ensure that the ADFS plugin is using the correct proxy:

  1. Open a command prompt window.
  2. Execute the netsh winhttp show proxy command.
  3. Examine the result of the command, which will be either no proxy, winhttp or ie.
  4. For customers using IE, specify IE as the proxy source using a command similar to: netsh winhttp import proxy source=ie
  5. Also ensure that the https://<yourorg>.okta<preview>.com isn't blocked by company firewalls.

The following errors occur under both MFA as a service, and OpenID Connect (OIDC). Effectively, these are the same error but differ in how they're reported.

Assigned user is deactivated in Okta

Cause: Error messages when the assigned user is deactivated in Okta:

  • OIDC: Failed to authenticate. Error: access_denied - 'login_hint' did not match a user assigned to the client ADFS app.
  • MFA as Service: General failure: The remote server returned an error: (404) Not Found.

Assigned user is suspended in Okta

Cause: Error messages when the assigned user is suspended in Okta:

  • OIDC: Failed to authenticate. Error: access_denied - 'login_hint' did not match a user assigned to the client ADFS app.
  • MFA as Service: General failure: The remote server returned an error: (401) not authorized.

Same custom name is set to two assigned users

Cause: Error messages when the same custom name is set to two assigned users on the client ADFS app:

  • OIDC: HTTP 500: Internal Server Error.
  • MFA as Service: General failure: The remote server returned an error: (401) Unauthorized.

Deny App Sign-on Policy

Cause: Error messages when there's a Deny App Sign-on policy:

  • OIDC: Failed to authenticate. Error: access_denied - The MFA attestation request was denied by policy.
  • MFA as Service: General failure: The remote server returned an error: (403) Forbidden.