To let Okta negotiate Kerberos authentication for agentless Desktop Single Sign-on (DSSO), you need to create a new service account and set a Service Principal Name (SPN) for that service account. The service account itself does not need admin permissions, but you need specific permissions to set an SPN. See Delegating Authority to Modify SPNs.
When the SPN credentials change, update the Okta SPN information at the same time to avoid service outages. As a security precaution, Okta recommends updating the SPN regularly.
- Sign in to a server from which you can access Active Directory Users and Computers.
Right-click the folder where you want to create the new account and select New > User.
- Complete these fields:
- First name: Optional. Enter the user's first name.
- Initials: Optional. Enter an initial for the user's middle name.
- Last name: Optional. Enter the user's last name.
- Full name: Optional. Enter the user's full name.
- User logon name: Enter a username.
- User logon name (pre-Windows 2000) : Enter a username.
- Complete the Password and Confirm Password fields and select a password option.
Okta recommends selecting Password never expires to avoid service interruptions.
- Click Next.
Open a command prompt and run this command to configure an SPN for the service account:
setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>>
Where HTTP/<myorg>.kerberos.okta.com is the SPN. <ServiceAccountName> is the value you used when configuring the Early Access version of Agentless DSSO and <oktaorg> is your Okta org (either oktapreview, okta-emea or okta). For example,
setspn -S HTTP/atko.kerberos.oktapreview.com atkospnadmin.