Desktop Single Sign On (Integrated Windows Authentication) is a feature that allows users to authenticate with Okta using their Windows domain credentials without having to enter their username and password again. However, users may encounter an issue where Desktop Single Sign On (SSO) fails with the error:
LoginResult=UNKNOWN_USER
This article will guide readers through the cause and resolution of this issue.
- Directories
- Desktop Single Sign-On (DSSO)
- Integrated Windows Authentication (IWA)
- Okta Classic Engine
This error occurs because the Userid retrieved from the Kerberos ticket is different from the UserPrincipalName specified in the ticket. The Okta service account UPN replaced the Userid.
To resolve this issue, modify the Pass-through authentication to use 'Application user (pass-through authentication)' instead of defining the Okta service account in the Path credentials. Here are the steps to follow:
- Open IIS Manager.
- Select IWA from the Sites in the Connections pane.
- Right-click Authentication from the center pane.
- Select Basic Settings...
- Click Connect as... in Pass-through authentication.
- Select Application user (pass-through authentication) and then click OK.
- Reset IIS.
In doing this, the IIS will be reset, and the Pass-through authentication will be modified to use 'Application user (pass-through authentication)' instead of defining the Okta service account in the Path credentials. This should resolve the LoginResult=UNKNOWN_USER error.
