This article offers a solution to the problem where users encounter the following error when logging into Okta using Integrated Windows Authentication (IWA):

HTTP 500.0 - Internal Server Error

The error code associated with this issue is 0x80070542.

• Desktop Single Sign-On (SSO) via Integrated Windows Authentication (IWA)

• Okta Classic Engine

The IIS_IUSRS group does not have “Impersonate a client after authentication” permission.

To solve this issue, follow the steps provided by Microsoft in ERROR 500.0 | Internal Server Error | AuthenticateRequest | StaticFile | 0x80070542. Here is a brief summary of these steps:

1. Add the local IIS_IUSRS group to a Group Policy Object (GPO) that permits "Impersonate a client after authentication" as a user-right assignment. Apply this policy to the web server. Note that direct application to the local security policy may not be feasible in some scenarios.

2. Add the IIS_IUSRS group to the NTFS permissions for the D: inetpubwwwroot folder.

3. Execute the commands GPUPDATE (to update Group Policies) and IISRESET (to reset the IIS web server).

By following these steps, the 500 Internal Server Error encountered by users logging into Okta via IWA can be alleviated.