During the installation of the Integrated Windows Authentication (IWA) agent, the installation process fails to create the Okta IWA Application Pool account because the LOCAL SERVICE account lacks Read access to the iisWasKey key. Granting the necessary Read permissions to the LOCAL SERVICE account resolves this issue. The IWA installation logs identify this failure with the following error message:
APPPOOL object "OktaIWA" added#ERROR ( hresult:80090016, message:Failed to commit configuration changes. #Keyset does not exist# )#|APP object "Default Web Site/IWA" added#VDIR object "Default Web Site/IWA" added#
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Integrated Windows Authentication (IWA) Desktop Single Sign-on (DSSO)
The LOCAL SERVICE account lacks Read access to the iisWasKey key, located in the %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys directory. The specific iisWasKey involved is the 76944fb33636aeddb9590521c2e8815a file.
How is the Okta IWA Application Pool creation failure resolved?
Grant the necessary permissions to the LOCAL SERVICE account by navigating to the MachineKeys directory, modifying the security properties of the specific key file, and adding Read access for the LOCAL SERVICE user.
- Navigate to the
%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeysdirectory. - Right-click the
76944fb33636aeddb9590521c2e8815afile, and select Properties. - Navigate to the Security tab, and click Edit. If a prompt appears to continue the operation, click Continue. The Permissions dialog box displays a list of group names and user names that have access to this key file.
- Click Add to open the Select Users, Computers, Service Accounts, or Groups dialog box.
- Enter
LOCAL SERVICEinto the text field, and click Check Names. - Click OK.
- In the Group or user names list, select LOCAL SERVICE.
- Select the Read checkbox in the Permissions for LOCAL SERVICE list.
