Set the service principal name

Set the Service Principal Name (SPN) to allow Okta negotiate Kerberos authentication for agentless Desktop Single Sign-on (DSSO). Domain administrator privileges are required to set the service principal name (SPN).

  1. Open a command prompt as an administrator in your Active Directory (AD) environment and run this command to add an SPN:

    setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea|okta-gov.com>.com <ServiceAccountName>

    HTTP/<myorg>.kerberos.okta.com is the SPN. <ServiceAccountName> is the value you used when configuring Agentless DSSO and <oktaorg> is your Okta org (either oktapreview, okta-emea or okta). For example, setspn -S HTTP/atko.kerberos.oktapreview.com atkospnadmin.

    This command does not create a new AD user account and SPN. Instead, it adds a new SPN to the existing AD user account.
    A child domain can use an SPN that resides in a parent domain only if the parent domain is also configured as a Kerberos Realm in Okta
    SPNs are unique across a forest so you only need to do this once in each forest. If you have multiple forests, repeat step 1 for each forest. This command is applicable to all orgs, including those that are using a custom URL.

  2. Add https://<myorg>.kerberos.<oktaorg>.com to the Intranet Site list in your Internet Settings for all the devices that you want using Agentless DSSO.
  3. Open your Okta Admin Console, navigate to SecurityDelegated AuthenticationAgentless DSSOEdit
    1. Under the AD instances, click Edit.
    2. If the service account username is in the old format (for example: HTTP/<myorg>.<oktaorg>.com), change it to the UPN of the service account for which the SPN was set.
    3. Select Validate service account credential on save.
    4. Click Save.

    This initiates the creation of a new DNS record for your org.

  4. Use command line tools such as dig or nslookup to make sure your new Kerberos URL can be reached. For example:

    $ dig <yourOrg>.kerberos.<oktaorg>.com

    $ nslookup <yourOrg>.kerberos.<oktaorg>.com

    To determine if the command was successful, refer to your Linux or Windows command reference documentation for explanations of the output messages. If the Kerberos URL can be reached, complete the remaining procedures. If you do not see output indicating success, run the command again in five minutes or contact Okta support for assistance.

Next steps

Configure browsers for single sign-on on Windows