Using Desktop SSO for authentication when system is off network Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000u91vsac&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fusing-desktop-sso-for-authentication-when-system-is-off-network
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Using Desktop SSO for authentication when system is off network
Published: Feb 16, 2018   -   Updated: Jun 22, 2018

Issue: Using Desktop SSO for authentication when system is off network

Applies to: 
  • IWA
  • Desktop SSO
    • Use case: Okta Desktop SSO server is publicly accessible and all Network Zones are configured to redirect to IWA Redirect URL, but off-network clients are prompted to enter Okta credentials

Cause: NTLM authentication must be used by off-network machines, which requires changing IIS and/or browser settings

Resolution:
  • Change IIS settings to use NTLM
    • on your IWA Server, launch the IIS Manager
    • in the left pane, expand Sites->Default Web Site and select your IWA application (default name is IWA)
    • Double-click Authentication
    • select Windows Authentication and click Providers... in the right pane
    • ensure that NTLM is listed above Negotiate (the order can be changed using the Move Up and Move Down buttons)
  • For Firefox users:
    • in the Firefox address bar enter: about:config
    • When the configuration page loads, enter the following in the Search field: network.automatic-ntlm-auth.trusted-uris
    • double click network.automatic-ntlm-auth.trusted-uris, enter your IWA Redirect URL in the string value field, and click OK