After following standard procedure to deploy the Okta DSSO agent on Win 2012 R2, the IWA web application gets deployed on IIS and runs within IIS "application pool" of OktaIWA. This application pool runs under identity of OktaService, the service account created/selected during agent installation.
Question: Isn't the OktaService user supposed to map to an SPN of HTTP/<DNS name for IWA webapp>? When I do a setspn -l <domain>\OktaService, I get an empty list.
Hello Jatin, On each IWA server you need to use Setspn to set the Service Provider Name so Kerberos can function with the Global Redirect. The serviceaccount below is the serviceaccount assigned to the application pool associated with the IIS service. setSPN -s HTTP/<hostname> <domain>\<serviceaccount> setSPN -s HTTP/<hostname>.<fqdn> <domain>\<serviceaccount>
Some explanation of the SetSPN stuff: https://blogs.technet.microsoft.com/tristank/2006/05/08/3-simple-rules-to-kerberos-authenticationdelegation-spns/
If the SPN checks out and the Microsoft Network monitor tool is non-specific, I would check the kerb header size maybe? It could be exceeding the max allowed limit or max token size in IIS... this would truncate the kerb token and result in a 401.
Behrouz Ghorchi Tier 2 Technical Support Engineer Okta Global Customer Care