Enabling Agentless Desktop Single Sign-on (ADSSO) with Okta requires a service account and a Service Principal Name (SPN) in Active Directory (AD) to negotiate Kerberos authentication between Okta and AD.
Administrators can create and manage an SPN in AD to facilitate this integration.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Agentless Desktop Single Sign-on (ADSSO)
How is a Service Principal Name configured for Agentless DSSO?
To manage an SPN for the service account, open a command prompt as an administrator and run the appropriate commands to create, view, or delete the SPN record.
What are the steps to create a new Service Principal Name?
To create a new SPN, create a service account in AD, open a command prompt, and execute the setspn command.
- Create a new service account in AD for use with Agentless DSSO. Enable AES 128 and AES 256 encryption on the account within AD.
- Open a command prompt as an administrator on the domain controller where the service account resides.
- Run the following command to configure an SPN for the service account:
setspn -S HTTP/<org>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>
Replace <org> with the organization name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the desired instance. Replace <ServiceAccountName> with the name of the new service account. Ensure the casing for the service account matches between AD and the SPN command.
What are the steps to view existing Service Principal Name records?
To view existing SPN records for a specific service account or the entire domain, run the appropriate setspn commands in the command prompt.
- To view existing SPN records configured for a service account, run the following command:
setspn -l <ServiceAccountName>
- To view all SPNs configured for the domain, run the following command:
setspn -F -Q HTTP/<org>.kerberos.<okta|oktapreview|okta-emea>.com
Replace <org> with the organization name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the instance.
What are the steps to delete an existing Service Principal Name?
To delete an existing SPN, execute the deletion command in the command prompt or erase the value directly in the AD Attribute Editor.
- Run the following command to delete an existing SPN:
setspn -d HTTP/<org>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>
Replace <org> with the organization name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the desired instance. Replace <ServiceAccountName> with the name of the service account from which the SPN requires deletion.
- Alternatively, delete the SPN via the Attribute Editor in AD by clearing the value from the
servicePrincipalNameattribute of the service account:
NOTE: Okta recommends using a dedicated service account for Agentless DSSO and avoiding using the same service account for other purposes. Ensure that the service account has the necessary permissions to query and modify AD records.
