The following are the prerequisites for installing the Okta IWA Web agent:
- You must have installed and configured the Okta AD Agent and Delegated Authentication must be enabled before you can configure IWA DSSO. See Manage your Active Directory integration.
- Make sure that Port 80 (for http) and Port 443 (for https) are open for inbound traffic on the same server that hosts the Okta IWA Web agent.
Note: Okta strongly recommends that you enable SSL.
Windows Server 2008 R2, Windows Server 2012, Server 2016 or Windows Server 2019 and higher. Although the IWA Web Agent will also work with Windows Server 2008, for best results, Okta recommends Windows Server 2008 R2 and Windows Server 2012.
If you use Windows Server 2008 R2, keep in mind the following:
- Microsoft requires Windows Server 2008 R2 users to have an extended support agreement. Also, Microsoft plans to EOL Windows Server 2008 R2 by 2020.
- Additional security configuration is required if your IWA Web agent is installed on a server running Windows Server 2008 R2. For more information, see Enable the Transport Layer Security 1.2 protocol.
- .NET 4.5.2 (minimum) up to .NET 4.6.x and ASP .NET 4.5. If you have a lower version of .NET, upgrade to 4.5.2 or higher.
To improve the security of our integrations, we now only communicate using TLS 1.2 security protocol. Ensure you are running .NET framework 4.5.2 or later so the AD agent installs correctly. For Windows 2008 R2 TLS 1.2 is disabled by default and must be enabled through the registry. If you have Windows 2008 R2, ensure the following regkeys are set correctly:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000
- IIS 7.5 or higher must be installed on the server. If the required IIS version is not installed, the installer quits and you receive an error message.
- AD Agent 3.0.4.x or higher. The Okta AD Agent does not have to be on the same server that hosts the OktaIWA Web agent.
- If your enterprise has more than one domain, see Configuring UPN Transformation.
The IWA agent doesn't require any extra privileges beyond the default permissions the user inherits from the Domain Users group. However, note the following:
- The installer configures some additional local permissions for the service account to allow it access the web-application files.
- The IWA agent requires read and execute permissions for files in C:\inetpub\webroot\IWA.
- If you want to use an existing account, then ensure:
- the account is active and the password never expires
- the account has permissions to read and execute for the C:\inetpub\wwwroot\IWA directory and its content