The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. This article explains the prerequisites for upgrading to Okta Identity Engine (OIE) when Agentless Desktop Single Sign-On (ADSSO) or Office 365 silent activation is in use.
The following error may be seen when attempting to upgrade:
Org has OFFICE365_WINDOWS_TRANSPORT_SUPPORT but not KERBEROS_ALIAS
- Okta Identity Engine Upgrade
- Agentless Desktop Single Sign-On
- Office 365 Silent Activation
- KERBEROS_ALIAS
If the KERBEROS_ALIAS feature flag is not enabled for these configurations, an upgrade blocker can occur. If KERBEROS_ALIAS is not enabled and ADSSO and silent activation are enabled using the classic registry key method, some configuration items must be completed prior to scheduling the upgrade.
- In the Admin Console, go to Security > Delegated Authentication to determine if Agentless Desktop SSO is configured.
-
Based on the configuration, follow the appropriate steps below.
-
- If Agentless Desktop SSO is NOT configured
- Contact Okta Support to enable the KERBEROS_ALIAS feature flag. No further action is required before the upgrade.
- If Agentless Desktop SSO is NOT configured
-
- If Agentless Desktop SSO IS configured
-
-
-
Modify the existing Active Directory (AD) service account. See Configure a service account for AD SSO for instructions.
-
Configure all web browsers on domain-joined devices to add the new Kerberos Validator URL.
-
For Windows instructions, see Configure browsers for SSO on Windows devices.
-
For macOS instructions, see Configure browsers for SSO on macOS devices.
-
-
After completing the reconfigurations, contact Okta Support to enable the KERBEROS_ALIAS feature flag before proceeding with the upgrade.
-
-
