Troubleshooting

Incorrect CORS installation

Cause: There was an error sending the request when logging into ADFS.

Solution: Ensure you have enabled CORS in your Okta org.

Incorrect Farm installation

Cause: During installation you encounter error 1001 PS0033 “cmdlet cannot be executed from a secondary server in a local database farm.

Solution: If you encounter this error closely follow the instructions in the Farm Installation addendum, especially the steps that discuss WID (windows internal database) and promoting each server to be primary.

Incompatible proxy

Cause: During login, after MFA, users received messagde unable to connect.

The ADFS plugin can use a proxy to interact with Okta. By default the the ADFS agent uses the WinHTTP proxy. Some customers may be using the IE proxy.

Solution: Ensure that the ADFS plugin is using the correct proxy:

  1. Open a command prompt window.
  2. Execute the netsh winhttp show proxy command.
  3. Examine the result of the command which will be one of: no proxy, winhttp or ie.
  4. For customers using IE, specify IE as proxy source using a command similar to: netsh winhttp import proxy source=ie
  5. Also ensure that the https://<yourorg>.okta<preview>.com is not blocked by company firewalls.

The following are errors which occur under both MFA as a service, and Open ID Connect (OIDC). Effectively these are the same error but differ in how they are reported.

Assigned user is deactivated in Okta

Cause: Error messages when the assigned user is deactivated in OKTA:

  • OIDC: Failed to authenticate. Error: access_denied - 'login_hint' did not match a user assigned to the client ADFS app.
  • MFA as Service: General failure: The remote server returned an error: (404) Not Found.

Assigned user is suspended in Okta

Cause: Error messages when the assigned user is suspended in OKTA:

  • OIDC: Failed to authenticate. Error: access_denied - 'login_hint' did not match a user assigned to the client ADFS app.
  • MFA as Service: General failure: The remote server returned an error: (401) not authorized.

Same custom name is set to two assigned users

Cause: Error messages when the same custom name is set to two assigned users on the client ADFS app:

  • OIDC: HTTP 500: Internal Server Error.
  • MFA as Service: General failure: The remote server returned an error: (401) Unauthorized.

Deny app Sign-on Policy

Cause: Error messages when there is a Deny App Sign-on policy:

  • OIDC: Failed to authenticate. Error: access_denied - The MFA attestation request was denied by policy.
  • MFA as Service: General failure: The remote server returned an error: (403) Forbidden.