OktaService account maps to SPN? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jatin VaidyaJatin Vaidya 

OktaService account maps to SPN?


After following standard procedure to deploy the Okta DSSO agent on Win 2012 R2, the IWA web application gets deployed on IIS and runs within IIS "application pool" of OktaIWA. This application pool runs under identity of OktaService, the service account created/selected during agent installation.

Isn't the OktaService user supposed to map to an SPN of HTTP/<DNS name for IWA webapp>?
When I do a setspn -l <domain>\OktaService, I get an empty list. 

Please comment.

BehrouzBehrouz (Okta, Inc.) 
Hello Jatin,
On each IWA server you need to use Setspn to set the Service Provider Name so Kerberos can function with the Global Redirect.
The serviceaccount below is the serviceaccount assigned to the application pool associated with the IIS service.
setSPN -s HTTP/<hostname> <domain>\<serviceaccount>
setSPN -s HTTP/<hostname>.<fqdn> <domain>\<serviceaccount>

Some explanation of the SetSPN stuff:

If the SPN checks out and the Microsoft Network monitor tool is non-specific, I would check the kerb header size maybe? It could be exceeding the max allowed limit or max token size in IIS... this would truncate the kerb token and result in a 401.

Behrouz Ghorchi
Tier 2 Technical Support Engineer
Okta Global Customer Care
Jatin VaidyaJatin Vaidya
Thanks Behrouz.
Can you please elaborate some practical ways in which the Okta DSSO global redirect URL feature can be made use of? There seems to be very little documentation on this.