IE Protected/Non-Protected Mode? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0vbia0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jim O'ConnorJim O'Connor 

IE Protected/Non-Protected Mode?

Does anybody have a way to work around IE Protected/Non-Protected Mode when it comes to internal applications being in the Local Intranet Zone (wildcard for entire internal name space is enforce by GPO and needs to stay in place) which is not in protected mode and external applications that are in the Internet zone that is in protected mode?
To get my internal applications to automatically pass the login credentials I had to add okta.com to Trusted Zones (also not in protect mode) but that has the impact of not automatically passing the login credentials for non-saml external applications.
It's become a catch-22 of I can either get internal apps or external apps to automatically pass the login credentials but not both as IE cannot seem to traverse between Protected and Non Protected mode. Has anybody come across this?
Best Answer chosen by Niki (Okta, Inc.) 
James FloresJames Flores (Okta, Inc.)
You should be able to work around this by adding the various SWA app websites to the trusted zone in the IE security policy. While this needs to be done for each website you have a SWA app configured, that is currently the best workaround we have, given the nature of our plugin and the default security policies that Internet Explorer has.

All Answers

James FloresJames Flores (Okta, Inc.)
Hi Jim,

What's the use case in this scenario? Based on your description it sounds like protected mode is doing what it's designed to do (https://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx). Protected mode is typically run on a server, do you have large user base running IE in protected mode? 

Based on your description this is what I understand:

*Non Protected Mode *
Local Intranet Zone  (wildcard for entire name space vis GPO)
Okta.com
 
*Protected Mode*
Local Intranet Zone has no settings
Okta.com
External Sites

If this is not the correct problem statement can you please help me understand the 2 scenarios? 
Jim O'ConnorJim O'Connor
Hi James, The Zones are configured like this: *Non Protected Mode * Local Intranet Zone (wildcard for entire internal domain name space vis GPO) Trusted Sites Zone (we had to add Okta.com to this site so internal apps could properly pass the login credentials ) *Protected Mode* Internet Zone (all External Sites not manually added to Trusted Sites like Okta.com) So in the configuration above internal applications launch perfectly using SSO but external non-SAML applications do not as they stop with a blank user name and password. If I remove Okta.com from the Non Protected Mode Trusted Site Zone than they reverse occurs as external non-SAML apps launch perfectly using SSO but now internal applications do not as they stop with a blank user name and password.
James FloresJames Flores (Okta, Inc.)
Hi Jim,

During these configurations what is the status of the Okta plugin? Since it is the plugin that fills in the credentials of the non-SAML apps (SWA apps). It would be helpful to know it's status while this is happening. 
Jim O'ConnorJim O'Connor
OktaBHO Enabled.
James FloresJames Flores (Okta, Inc.)
You should be able to work around this by adding the various SWA app websites to the trusted zone in the IE security policy. While this needs to be done for each website you have a SWA app configured, that is currently the best workaround we have, given the nature of our plugin and the default security policies that Internet Explorer has.
This was selected as the best answer
Jim O'ConnorJim O'Connor
This is exactly what we have been doing but this creates a bit of a bottleneck to business users since the IE settings are managed/locked down via GPO and users must open a support ticket and have an IT admin modify the GPO each time but seeing as there doesn’t seem to be a better option at this point I guess we will continue to manage external SWA apps in this fashion. Thanks again James.
Mike MetzenMike Metzen
Was there any solution / outcome to this? Our Org is now facing the same issues where we can only use SWA for one or the other (internal v external).

Thanks in advance. Mike