Desktop SSO for users housed in a 2nd AD forest Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:

Desktop SSO for users housed in a 2nd AD forest

Is it possible to get desktop SSO working for AD objects imported from a 2nd AD forest with no trust relationship to the 1st AD forest? 
More info: IWA version1.8.1

I am using a global redirect URL, and forcing the users in the disparte directory to their own IWA server via DNS. The /iwa/authenticated.aspx page says they are authenticating succesfully. When they attempt to auth via IWA, they are directed to the IWA server, and then redirected to the /login/default page. I'm not seeing much in the logs that explains why they are sent back to the form rather than logged in. 
Kevin TurnerKevin Turner (Okta, Inc.)
Is the users Public Gateway IP value enabled on the Okta allowed network IP ranges. First get the user to go to a web address of say to find the public gateway IP for the site.
Then you will need to add that displayed IP address. To do this, go to the Okta Admin Console, select “Security”, “Network” and add any missing IP address that’s are not already in the list. Once added the user should be automatically logged into to Okta (rather than having to type in their AD username and password manually) and not be sent to the /login/default page.
Hi Kevin - yes, I added their gateway IP to the network definition in Okta. Like I said, when they browse to my Okta org they are redirected to their IWA app, so that part is working. The IWA app is redirecting their users back to /login/default rather than logging them in. 
Kevin TurnerKevin Turner (Okta, Inc.)
I'm guessing then that something is not right in the configuration with the browser maybe as the user shgould net get passed on to the IWA URL. Have you made the changes to the local intranet settings to send on the Kerberos credentials to the IIS webserver? If you've not seen the details here's the link to the support page
Sorry if you've performed these steps and I'm covering old ground here.
If you have and still have problems, it's best maybe to open up a support ticket to walk through the problem.
No problem, thanks for the input. I have added their IWA site to their IE "intranet zone". The \iwa\authenticated.aspx page is successfully authenticating their users; so I think that means that IE is set up correctly? 

I have opened a support case; i'll report back if we figure this out. 
Palak ChhedaPalak Chheda
Hi Mark,
Were able to find a solution for this?

Art CarreraArt Carrera
did this ever work?  i have a similar situation i'd like to solve.