Okta generates an HTTP 500 error during authentication via Integrated Windows Authentication (IWA) because the IIS_IUSRS group lacks the required impersonation permissions. Resolving this issue requires updating the Group Policy Object (GPO) and NTFS permissions to grant the necessary rights to the IIS_IUSRS group.

Users experience authentication failures and receive a specific error code during the login process.

HTTP 500.0 - Internal Server Error

Error Code 0x80070542

• Okta Classic Engine
• Desktop Single Sign-On (DSSO)
• Integrated Windows Authentication (IWA)

The IIS_IUSRS group lacks the "Impersonate a client after authentication" permission.

What steps resolve the HTTP 500 error for IWA authentication?

To resolve the authentication error, update the Group Policy Object (GPO) and NTFS permissions to grant the IIS_IUSRS group the necessary impersonation rights, and then reset the web server.

1. Add the local IIS_IUSRS group to a GPO that permits "Impersonate a client after authentication" as a user-right assignment, and apply this policy to the web server.
   NOTE: Direct application to the local security policy is not feasible in some scenarios.
2. Add the IIS_IUSRS group to the NTFS permissions for the <drive_letter>:\inetpub\wwwroot folder.
3. Run the GPUPDATE command to update Group Policies and the IISRESET command to reset the IIS web server.

Related References

• ERROR 500.0 | Internal Server Error | AuthenticateRequest | StaticFile | 0x80070542