Migrate your Agentless Desktop SSO configuration


Info

Note

The steps in this topic apply to orgs that implemented the Early Access version of this feature. That is, you implemented this feature before August 30th, 2019. If you are implementing this feature for the first time after September 1, 2019 follow the instructions in Configure Agentless Desktop SSO - new implementations

Do you need to perform these steps?

You need to follow the steps in this topic if:


Procedures

The Agentless DSSO migration involves these steps:

  • Add a new SPN in Active Directory. To avoid a service disruption, the existing SPN must remain in place until you've successfully migrated to the new configuration.
  • Configure browsers for SSO on Windows.
  • Test the DSSO settings.

To complete the steps in this topic, you will need:

Add the SPN

Domain administrator privileges are required to set the SPN.

  1. Open a command prompt as an administrator in your AD environment and run this command to add an SPN:

    setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>

    HTTP/<myorg>.kerberos.okta.com is the SPN. <ServiceAccountName> is the value you used when configuring the Early Access version of Agentless DSSO and <oktaorg> is your Okta org (either oktapreview, okta-emea or okta). For example, setspn -S HTTP/atko.kerberos.oktapreview.com atkospnadmin.

    This command does not create a new AD user account and SPN. Instead, it adds a new SPN to the existing AD user account.
    SPNs are unique across a forest so you only need to do this once in each forest. If you have multiple forests, repeat step 1 for each forest. This command is applicable to all orgs, including those that are using a custom URL.

  2. Add https:///<myorg>.kerberos.<oktaorg>.com to the Intranet Site list in your Internet Settings for all the devices that you want using Agentless DSSO.
  3. Open your Okta Admin Console, navigate to Security > Delegated Authentication > Agentless DSSO > Edit
    1. Under the AD instances, click Edit.
    2. If the service account username is in the old format (for example:  HTTP/<myorg>.<oktaorg>.com), change it to the UPN of the service account for which the SPN was set.
    3. Select Validate service account credential on save.
    4. Click Save.

    This initiates the creation of a new DNS record for your org.

  4. Use command line tools such as dig or nslookup to make sure your new Kerberos URL can be reached. For example:

    $ dig <yourOrg>.kerberos.<oktaorg>.com

    $ nslookup <yourOrg>.kerberos.<oktaorg>.com

    To determine if the command was successful, refer to your Linux or Windows command reference documentation for explanations of the output messages. If the Kerberos URL can be reached, complete the remaining procedures. If you do not see output indicating success, run the command again in five minutes or contact Okta support for assistance.

Configure browsers for SSO on Windows

Configuring changes on Internet Explorer (IE) will be enough as Chrome will recognize these settings.

Note: Firefox and Edge are not supported.

There are three main steps involved in configuring the browsers on Windows:

  1. Enable IWA on the browsers:
    1. In Internet Explorer, select Tools > Internet options.
    2. Click the Advanced tab, scroll down to Security, and select Enable Integrated Windows Authentication.
    3. Click OK.

    Note: Make sure that IE can save session cookies (Internet options > Privacy tab). If it cannot, neither SSO nor standard sign in can work.

  2. Configure the Local Intranet Zone to trust Okta:
    1. Open IE and click Tools> Internet options and click the Security tab.
    2. Click on Local Intranet > Sites > Advanced and add the URL for your Okta org you configured in Add the SPN. For example: https://<myorg>.kerberos.<oktaorg>.com.
    3. Click Close and OK on the other configuration options.
  3. Create a GPO to apply the settings to all client machines using Agentless DSSO.

Test the DSSO settings

  1. Open the Okta Admin Console, navigate to Security > Delegated Authentication > Agentless DSSO.
  2. Scroll to Agentless Desktop SSO and confirm that On is selected for Desktop SSO mode.
  3. Log in to an active Okta Windows account that uses Agentless DSSO.
  4. Open an internet browser, enter https://<myorg>.okta.com/login/agentlessDssoMigrationReadiness in the address bar, and press Enter.
  5. If you cannot access the URL, contact Okta support.

    If the DSSO settings are correct and the org is ready, the user home page appears.

    If you created a custom URL, you are redirected to the URL location.

    If your org is not ready, the IWA flow is followed (if configured). If the IWA flow is not configured, the custom log in error page appears (if configured) or the default log in screen appears (https://<org>.okta.com/login/default).

    Your org will be migrated to the new functionality in a few days. No other changes are required and everything will continue to work.

    After you receive your confirmation from Okta, you will no longer need to make registry key changes for new users.

    If you need to make additional changes or adjustments to your settings, review the Agentless DSSO documentation.

 


Top