To use Kerberos authentication for agentless Desktop Single Sign-on (DSSO), you need to create a new service account and set a Service Principal Name (SPN) for that service account. The service account itself does not need admin permissions, but you need specific permissions to set an SPN. See Delegating Authority to Modify SPNs.
When the service account credential changes, update the corresponding Okta service account credential at the same time to avoid service outages. As a security precaution, Okta recommends updating the service account credential regularly.
- To open the Active Directory Users and Computers (ADUC) Microsoft Management Console (MMC) console, on the Active Directory server click Start > Run, enter
dsa. msc, and press Enter.
- Right-click the folder where you want to create the new account and select New > User.
- Complete these fields:
- First name — Enter the user's first name.
- Initials — Optional. Enter an initial for the user's middle name.
- Last name — Enter the user's last name.
- Full name — Optional. Enter the user's full name.
- User logon name — Enter a username.
- User logon name (pre-Windows 2000) — Optional. Modify the automatically generated name if necessary.
- Click Next.
- Complete the Password and Confirm Password fields and clear the User must change password at next logon check box.
Okta recommends selecting Password never expires to avoid service interruptions. As a security precaution, update the service account credential regularly.
- Click Next and click Finish.
- Right-click the user created in step 6, select Properties, select the Account tab, and then select the This account supports Kerberos AES 128 bit encryption or This account supports Kerberos AES 256 bit encryption check boxes in the Account Options area.
- Click Apply.
- Create a group policy to enable AES encryption on the AD server. See Windows Configurations for Kerberos Supported Encryption Type.
Open a command prompt and run this command to configure an SPN for the service account:
setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>
The group policy can be created on the domain controller, or on the server where the Okta AD Agent is installed. The policy is applied to the entire domain and applies to all domain servers and workstations within the domain.
Where HTTP/<myorg>.kerberos.okta.com is the SPN. <ServiceAccountName> is the value you used when configuring the Early Access version of Agentless DSSO and <oktaorg> is your Okta org (either oktapreview, okta-emea or okta). For example,
setspn -S HTTP/atko.kerberos.oktapreview.com atkospnadmin.