Users are experiencing the following error when attempting to access Okta:
HTTP Error 503: The service is unavailable
This error message is accompanied by the following symptoms:
- An email from Okta with the subject "IWA Application ______ health check failed" might be received.
- The IWA Application is listed as Offline in the Security > Delegated Authentication page of the Okta Admin Console.
- An 5021 Event appears in the server's system log, indicating:
The identity of application pool OktaIWA is invalid.
-
The DefaultAppPool and OktaIWA application pools may be changed to Stopped status during the IWA login flow.
Event log shows:
Warning <Date & Time> Microsoft-Windows-WAS 5057 None Application pool OktaIWA has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
Warning <Date & Time> Microsoft-Windows-WAS 5021 None The identity of application pool OktaIWA is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
- Desktop Single Sign On (SSO)
- Okta Integrated Windows Authentication (IWA) Web Agent
- Okta Classic Engine
The user account supplied when installing the IWA Agent (OktaService by default) does not have "Log on as a batch job" permission on the server.
-
If the server had previously been working properly, a Group Policy change may have removed permissions from the account.
This behavior may also occur when the password for the Okta service account is changed and the Active Directory (AD) agent is reinstalled.
If the OktaService for IWA agent is configured without the "Log on as a batch job" permission:
-
Launch the Group Policy Management Console and examine Group Policies to determine whether any might be specifying what accounts have "Log on as a batch job" permission:
-
- This policy is located in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Management and, if configured, will be displayed in the Settings tab of the selected policy:
-
If a Group Policy is found that sets the "Log on as a batch job" permission, modify the policy to include the user account that was used during the IWA Agent installation. This account is detailed in IIS by expanding ServerName > Application Pools.
-
- The
gpupdate /forcecommand can be run from the server's command line to manually force the policy change to be applied.
- The
- If no Group Policy is configured to set the "Log on as a batch job" permission, launch the Local Security Policy console on the affected IWA server (Start > Run > secpol.msc).
- Navigate to Local Policies > User Rights Management, double-click Log on as a batch job, and add the user account that was used during the IWA Agent installation.
- Launch IIS Manager on the affected IWA server.
- In the left pane, navigate to ServerName > Sites > Default Web Site.
- In the Actions pane on the right, click Restart.
- Test to see if the issue has been resolved.
If the identity credentials for the OktaIWA and DefaultAppPool are inaccurate:
- In IIS, select ServerName > Application Pools > right click on OktaIWA or DefaultAppPool > Advanced Settings > look for Identity.
- Click on Set and enter the credentials for the service account.
- Restart the DefaultAppPool and OktaIWA application pools.
