Migrate your Agentless Desktop Single Sign-on configuration



The information in this topic applies only to orgs that implemented the Early Access version of this feature before August 30th, 2019. If you are implementing this feature for the first time after September 1, 2019, see Configure a new Agentless Desktop Single Sign-on implementation

You need to complete this procedure if:


Known issues

  • Agentless DSSO will not work if a single user has memberships to more than 600 security groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.. If an end user with more than 600 security groups attempts the Agentless DSSO migration, a 400 response appears and they are redirected to the regular sign in page.
  • The following browsers are not supported:
    • Firefox on Windows
    • Chrome on macOS
    • MS Edge
  • If you are using Windows functional level 2008 or below, be aware that it uses a less secure encryption RC4. Okta recommends upgrading to Windows functional level 2008 or above to make sure you are using the most secure encryption algorithm.
  • Agentless DSSO does not work when delegated authentication is disabled and Don't create Okta password is selected. To learn more about delegated authentication, see Delegated authentication.

Set the SPN

Domain administrator privileges are required to set the SPN.

  1. Open a command prompt as an administrator in your AD environment and run this command to add an SPN:

    setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>

    HTTP/<myorg>.kerberos.okta.com is the SPN. <ServiceAccountName> is the value you used when configuring the Early Access version of Agentless DSSO and <oktaorg> is your Okta org (either oktapreview, okta-emea or okta). For example, setspn -S HTTP/atko.kerberos.oktapreview.com atkospnadmin.

    This command does not create a new AD user account and SPN. Instead, it adds a new SPN to the existing AD user account.
    SPNs are unique across a forest so you only need to do this once in each forest. If you have multiple forests, repeat step 1 for each forest. This command is applicable to all orgs, including those that are using a custom URL.

  2. Add https://<myorg>.kerberos.<oktaorg>.com to the Intranet Site list in your Internet Settings for all the devices that you want using Agentless DSSO.
  3. Open your Okta Admin Console, navigate to Security > Delegated Authentication > Agentless DSSO > Edit
    1. Under the AD instances, click Edit.
    2. If the service account username is in the old format (for example:  HTTP/<myorg>.<oktaorg>.com), change it to the UPN of the service account for which the SPN was set.
    3. Select Validate service account credential on save.
    4. Click Save.

    This initiates the creation of a new DNS record for your org.

  4. Use command line tools such as dig or nslookup to make sure your new Kerberos URL can be reached. For example:

    $ dig <yourOrg>.kerberos.<oktaorg>.com

    $ nslookup <yourOrg>.kerberos.<oktaorg>.com

    To determine if the command was successful, refer to your Linux or Windows command reference documentation for explanations of the output messages. If the Kerberos URL can be reached, complete the remaining procedures. If you do not see output indicating success, run the command again in five minutes or contact Okta support for assistance.

Configure browsers for SSO on Windows

Configuring changes on Internet Explorer (IE) will be enough as Chrome will recognize these settings.

Note: Firefox and Edge are not supported.

There are three main steps involved in configuring the browsers on Windows:

  1. Enable IWA on the browsers:
    1. In Internet Explorer, select Tools > Internet options.
    2. Click the Advanced tab, scroll down to Security, and select Enable Integrated Windows Authentication.
    3. Click OK.

    Note: Make sure that IE can save session cookies (Internet options > Privacy tab). If it cannot, neither SSO nor standard sign in can work.

  2. Configure the Local Intranet Zone to trust Okta:
    1. Open IE and click Tools> Internet options and click the Security tab.
    2. Click Local Intranet > Sites > Advanced and add the URL for your Okta org you configured in Add the SPN. For example: https://<myorg>.kerberos.<oktaorg>.com.
    3. Click Close and OK on the other configuration options.
  3. Create a GPO to apply the settings to all client machines using Agentless DSSO.

Test the DSSO settings

  1. Open the Okta Admin Console, navigate to Security > Delegated Authentication > Agentless DSSO.
  2. Scroll to Agentless Desktop SSO and confirm that On is selected for Desktop SSO mode.
  3. Log in to an active Okta Windows account that uses Agentless DSSO.
  4. Open an internet browser, enter https://<myorg>.okta.com/login/agentlessDssoMigrationReadiness in the address bar, and press Enter.
  5. If you cannot access the URL, contact Okta support.

    If the DSSO settings are correct and the org is ready, the user home page appears.

    If you created a custom URL, you are redirected to the URL location.

    If your org is not ready, the IWA flow is followed (if configured). If the IWA flow is not configured, the custom log in error page appears (if configured) or the default log in screen appears (https://<org>.okta.com/login/default).

    Your org will be migrated to the new functionality in a few days. No other changes are required and everything will continue to work.

    After you receive your confirmation from Okta, you will no longer need to make registry key changes for new users.

    If you need to make additional changes or adjustments to your settings, review the Agentless DSSO documentation.