SSO not working via Network Load balancer - sso_iwa_auth / iwa.Invalid.Token Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Nidhin C KNidhin C K 

SSO not working via Network Load balancer - sso_iwa_auth / iwa.Invalid.Token

Hi Experts,

We have enabled "Use global redirect URL" via network load balancer (F5) and it was working fine. Now we had to remove one of the server from F5 load balancer and add a new one. after that SSO to okta page does not work and it redirects to

In event logs, LegacyEventType shows as iwa.Invalid.Token

Note: When we point IWA server manually or Automatic failorver then SSO works. 

Anybody has any idea why this is happening?
Stefan PescaruStefan Pescaru (Okta, Inc.)
I would recommend checking the following:
  • Check the service accounts for AD.
  • Check the API token to be valid.
  • Check your server firewall, to make sure it is not blocking any IP adresses.
  • Also check for your server to be domain-joined, as otherwise IWA will not work.
For further assistance, you can always open a case with our Tech Support department.
Nidhin C KNidhin C K
Hi Stefan,

How do i check if API token is valid. Could you please providfe steps for this
Dave McMartinDave McMartin

Hi Nidhin,

We are running into the same issue.  IWA works fine on both Mac and Win but as soon as we enable Global Redirect it breaks on all Mac browsers.  I can confirm the following:

Mac domain joined
Firewall not blocking
SVC account setup per instructions

No idea either what they are referring to with API token.  

I have opened a case with Okta support that hasn't really gotten anywhere in the last 2 +  weeks.  Would love to see some attention to this.


Nidhin C KNidhin C K
Hi Deve,

We faced the exact same issue and we have resolved this issue by follwoing below steps. 
1. Follow the setps mentioned in below article
2. Add service account in below mentioned Local Security Policy (secpol) on IWA servers
    a. Log on as a service
    b. Replace a process level token
    c. Adjust memory quotas for a process
3. Restart IIS service
Dave McMartinDave McMartin
Sorry should have posted when we found this and passed it along to Okta a few months ago. Thanks for the follow up. Dave Sent from my T-Mobile 4G LTE Device Dave McMartin | Sr. Systems Engineer p: +12069256468 Getty Images