Configure browsers for agentless Desktop Single Sign-on on Windows

Agentless DSSO is supported on Windows using Chrome, Chromium versions of Microsoft Edge, Internet Explorer, and Firefox. Previous versions of Microsoft Edge (Legacy) aren't supported.

To configure the browsers in a Windows environment for Agentless DSSO:

  • Create a Group Policy Object (GPO) on a Windows server in the domain to apply the Integrated Windows Authentication (IWA) and URL settings to all Windows client machines in the domain.
  • Enable IWA on the browsers.
  • Add Okta to the local intranet in Internet Explorer (IE). The Okta URLs must include https://<myorg>.kerberos.okta.com.

Note: Agentless DSSO doesn't work if a single user has memberships to more than 600 security groups or if the Kerberos token is too large for Okta to currently consume. If a user with a large Kerberos packet implements or migrates Agentless DSSO, a 400 response appears and they'reredirected to the regular sign-in page.

Internet Explorer

Although this procedure is specific to Internet Explorer, you can use a similar process to configure Chrome and Chromium Edge on Windows.

  1. Enable IWA on the browsers:
    1. In Internet Explorer select Tools > Internet Options. On Windows 10 and above, click the Settings icon from the Start menu, and search for Internet Options in the search bar.
    2. Click the Advanced tab, scroll down to the Security settings, and select Enable Integrated Windows Authentication.
    3. Click OK.

    Note: Make sure that Internet Explorer can save session cookies (Internet Options > Privacy tab). If it can't, neither SSO nor standard sign-in can work.

  2. Configure the Local Intranet Zone to trust Okta:
    1. In IE, open Options > Security.
    2. Click Local Intranet > Sites > Advanced and add the URL for your Okta org as configured in earlier steps. For example: https://<myorg>.kerberos.okta.com.
    3. Click Close and OK on the other configuration options.
  3. Create a GPO to roll this out to all client machines that will use agentless DSSO.

Chrome

The Okta URL must be added to the Chrome allowlist.

  1. Add the folllowing registry entries for Agentless Desktop Single Sign on for Google Chrome:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]

    "DisableAuthNegotiateCnameLookup"=dword:00000001

  2. Add the following entry as a string value in the registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]

    "AuthServerAllowlist"=org.kerberos.okta.com

Note: Replace org.kerberos.okta.com with your Okta org in which Agentless Desktop Single Sign on is configured. For example: acme.kerberos.okta.com.

Firefox

  1. Open the Firefox web browser, enter about:config in the Address bar.
  2. If the Proceed with Caution message appears, click Accept the Risk and Continue.
  3. In the Search preference name field, enter network.negotiate-auth.trusted-uris.
  4. Click Edit, enter <org>.kerberos.okta.com, and click Save.

Next steps

Enable agentless Desktop Single Sign-on