Original Author: Lee Tschetter, Sr Sales Engineer, Okta
Due to changes in IIS 7.5 and higher, there are some additional steps required to get the Okta DSSO (IWA) Agent working on Windows Server 2012 and 2012R2. This document is intended to help Okta administrators properly configure a server to allow the DSSO agent to work correctly in their environment.
First, open the "Add Roles and Features Wizard" on the server where you want to install Desktop SSO.
Click next, choose "Role-based or feature-based installation" and click next.
Select the local server and click next.
Chose the "Application Server" and "Web Server (IIS)" roles.
If you receive a notification like this one you should click on "Add Features". This will add any missing dependencies.
Click the "Next" button in the bottom right to continue to "Features".
Under the "Features" section you will need to make sure the options shown below under ".NET Framework 3.5 Features" and ".NET Framework 4.5" are checked:
Click Next, and Next again, to advance to the "Web Server (IIS) Role" role services.
In the "Web Server Role"/"Role Services" section make sure "Windows Authentication", "IIS Management Console", and "Management Service" are checked.
Click Next, and Next again to advance to the "Application Server"/"Role Services" section.
Check "Web Server (IIS) Support" under "Application Server"/"Role Services"
Click Next to advance to the confirmation screen, then click Install to finish the setup wizard. The install may take a few minutes to complete.
Once finished, run the Okta Desktop SSO (IWA) Agent installation wizard. The installer will finish the rest of the IIS configuration automatically and the server will show up in Okta as a Desktop SSO host.
If you run in to issues with the service account required by the IWA Agent installation wizard then you may need to give the OktaService account (or other domain service account used in the wizard) the "Log On as Batch Job" permission on the machine.
You can now test the Desktop SSO server by going to http://<servername>/IWA/ in your browser or by configuring Okta to use DSSO in test mode in your admin console.