<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta IWA Server Shows as Offline When Changing the Failover Option
May 28, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

When the failover option uses a redirect to a backup Integrated Windows Authentication (IWA) server, the Okta IWA server displays as offline in the Okta Admin Console. This occurs because the Okta Active Directory (AD) Agent fails a health check due to blocked communication due to firewalls, missing allowlist entries, or environmental issues. Resolve this by configuring security applications to permit Okta traffic, updating IP allowlists, and verifying the health of the host server and Internet Information Services (IIS).

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
  • Okta Integrated Windows Authentication (IWA) Desktop Single Sign-On (DSSO)
Cause

The Okta Admin Console provides failover configuration options for the IWA Web App by navigating to Security and then Delegated Authentication under the Failover option in the On-Prem Desktop SSO section.

 

If the configuration uses the Redirect to backup IWA if primary goes offline option, Okta switches to a healthy IWA Web App if the primary IWA Web App goes offline. The AD Agent checks the health of each IWA Web App setup by periodically sending requests to each IWA server. If a server does not respond, Okta considers the server offline and displays an offline notification.

 

If the failover configuration uses the Only redirect to primary IWA agent or Only redirect to the following URL option, Okta does not send requests to the server or expect a response. Therefore, the IWA server displays as active in Okta even if the server is down.

 

A failed health check indicates the Okta AD Agent cannot communicate with the Okta IWA Agent. Common causes include:

  • Security applications residing on the server, such as firewalls, block communication.
  • Okta domains and IP addresses are missing from the allowlist.
  • Environmental issues with IIS, the operating system, or the network prevent communication.
  • Review the IWA DSSO Agent is Offline but DSSO Authentication Still Functions article for additional context regarding offline agents that still process authentication requests.

 

Review the failover configuration settings in the Okta Admin Console to determine the current routing behavior for the IWA Web App.

Okta Admin IWA agent failover configuration

Solution

How is the offline IWA server issue resolved?

Verify the server security settings, update the network allowlists, and confirm the operational status of the host server and IIS to restore communication with Okta.

  • Check security applications and firewalls on the server and ensure they permit communication from the AD Agent and responses to Okta.
  • Ensure Okta domains and IP addresses exist on the appropriate allowlists.
  • Review the health of the host server and IIS.

Related References

Recommended content

Still looking for help?
Loading
Okta IWA Server Shows as Offline When Changing the Failover Option