Okta Dashboard reports that an Integrated Windows Authentication (IWA) instance is offline, but the agent appears to function as intended. The Okta AD Agent and Okta IWA Agent are installed on the same host.

The following entry appears in the AD Agent logs (default location: C:\Program Files (x86)\Okta\Okta AD Agent\logs): 

2018-08-31 11:36:06.561 Warning -- {HostName}(5) -- IWA Agent is down. IWA URL: https://{IWAServerURL}. Error: The remote server returned an error: (401) Unauthorized.

• Directories
• Active Directory
• IWA Desktop Single Sign On (DSSO
• Okta Classic Engine

Windows Server's Loopback Security Check mechanism prevents access to a web application using the Fully Qualified Domain Name (FQDN) if an attempt to access it takes place from the same server that hosts the application and has a hostname that does not match the FQDN.

• For example, if both the AD Agent and IWA are installed on a server with the hostname "ADAGENT" and IWA is configured to use the URL "https://iwaserver.company.com," the loopback security check mechanism will be triggered when the AD Agent attempts the IWA health check. This will result in the health check failing and the server reporting as offline.

Perform one of the two workarounds suggested in this Microsoft KB article:

• Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: Access denied or No network provider accepted the given network path