Create a service account and configure a Service Principal Name

To use Kerberos authentication for agentless Desktop Single Sign-on (DSSO), you need to create a service account and set a Service Principal Name (SPN) for that account. The service account itself doesn't need admin permissions, but you need specific permissions to set an SPN. See Delegating Authority to Modify SPNs.

When the service account's credentials change, update the corresponding Okta service account credential at the same time to avoid service outages. As a security precaution, Okta recommends updating the service account credential regularly.

When Federal Information Processing Standards (FIPS) functionality is enabled, the service account username and password must meet these criteria:

  • The combined length of the service account username and the domain name must include a minimum of 16 characters.
  • The service account password must contain a minimum of 14 characters.

Start this procedure

  1. To open the Active Directory Users and Computers (ADUC) Microsoft Management Console (MMC) console, on the Active Directory server click StartRun, enter dsa. msc, and press Enter.
  2. Right-click the folder where you want to create the account and select NewUser.
  3. Complete these fields:
    • First name: Enter the user's first name.
    • Initials: Optional. Enter an initial for the user's middle name.
    • Last name: Enter the user's last name.
    • Full name: Optional. Enter the user's full name.
    • User logon name: Enter a username.
    • User logon name (pre-Windows 2000): Optional. Modify the automatically generated name if necessary.
  4. Click Next.
  5. Complete the Password and Confirm Password fields and clear the User must change password at next logon checkbox.

    Okta recommends selecting Password never expires to avoid service interruptions. As a security precaution, update the service account credential regularly.

  6. Click Next, and then click Finish.
  7. Right-click the user that you created earlier, select Properties, and then select the Account tab.
  8. In the Account Options section, select the This account supports Kerberos AES 128 bit encryption or This account supports Kerberos AES 256 bit encryption checkboxes.
  9. Click Apply.
  10. Create a group policy to enable AES encryption on the AD server. See Windows Configurations for Kerberos Supported Encryption Type.

    The group policy can be created on the domain controller or on the server where the Okta AD agent is installed. The policy is applied to the entire domain and applies to all domain servers and workstations within the domain.

  11. To configure an SPN for the service account, open a command prompt and run this command as an administrator:

    setspn -S HTTP/<myorg>.kerberos.<oktaorg>.com <ServiceAccountName>

    • HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com: This is the SPN.
    • <ServiceAccountName>: This is the value that you used when configuring Agentless DSSO.
    • <oktaorg>: This is your Okta org (either okta, oktapreview, or okta-emea).

      See Setspn.

Next steps

Configure browsers for agentless Desktop Single Sign-on on Windows

Configure browsers for agentless Desktop Single Sign-on on Mac