The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. This article explains how to resolve an upgrade blocker for the Okta Identity Engine (OIE). An upgrade to Okta Identity Engine (OIE) cannot be scheduled if Integrated Windows Authentication (IWA) routing rules are active. Additional Okta features may require reconfiguration or be disabled to complete the upgrade.

• Okta Identity Engine (OIE)
• Integrated Windows Authentication (IWA)
• On-Premises Desktop Single Sign-On (DSSO)
• Mutual Transport Layer Security (MTLS) Desktop Device Trust

Okta IWA User Authentication is not supported on OIE. The remediation must be completed before the upgrade can be scheduled. After the upgrade, IWA's administrative capability to modify or change configurations is no longer allowed.

The IWA routing rules must be deleted to resolve the issue. Users with on-premises DSSO fall into one of two categories.

Users requiring Desktop SSO to authenticate should upgrade to Agentless Desktop Single Sign-on (ADSSO):

1. Configure Agentless Desktop Single Sign-on.
   
2. Delete IWA (OnPremDSSO) IdP routing rules.
   

Users using on-premises DSSO for the installation of Desktop Device Trust certificates:

1. Delete IWA (OnPremDSSO) IdP routing rules.

2. Device Trust for desktop devices

NOTE: After the upgrade to OIE is complete, it is recommended to implement managed devices. For instructions, see Replace Desktop Device Trust with Okta FastPass. 

Related References

• Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on
• Active Directory Desktop Single Sign-On known issues