<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configuring a Service Principal Name (SPN) for Agentless DSSO
Aug 12, 2025
Okta Classic Engine
Directories
Overview

This article provides instructions for creating, viewing, and deleting a Service Principal Name (SPN) in Active Directory (AD) to enable Agentless Desktop Single Sign-on (Agentless DSSO) with Okta.

Applies To
  • Directories
  • Agentless DSSO
  • Okta Classic Engine
Cause

To enable Agentless DSSO with Okta, a service account must be created, and a Service Principal Name (SPN) must be set for that account. The SPN negotiates Kerberos authentication between Okta and Active Directory.

Solution

Follow these steps or the video below to configure an SPN for the service account.


 

  1. Create a new service account in Active Directory for use with Agentless DSSO. Ensure that AES 128 and AES 256 encryption are enabled on the account within AD.

Image - ADSSO SPN - AES encryption enabled

  1. Open a command prompt as an administrator on the domain controller where the service account was created.

  2. To configure an SPN for the service account, run the following command:

    setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>


    Replace <myorg> with the organization name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the desired instance. Replace <ServiceAccountName> with the name of the service account created. Ensure the casing for the service account matches between AD and the SPN command.
     

  3. To view existing SPN records configured for the service account, run the following command:

    setspn -l <ServiceAccountName>

     

  4. To view all SPNs configured for the domain, run the following command:

    setspn -F -Q HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com


    Replace <myorg> with the organization's name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the instance.
     

  5. To delete an existing SPN, run the following command:

    setspn -d HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>


    Replace <myorg> with the organization's name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the desired instance. Replace <ServiceAccountName> with the name of the service account from which the SPN should be deleted.

    The SPN can also be deleted via the Attribute Editor tab in Active Directory by just erasing the value:
    AD 

NOTE: It is recommended to use a dedicated service account for DSSO and avoid using the same service account for other purposes. Also, ensure that the service account has the necessary permissions to query and modify Active Directory records.
 

Related References

Recommended content

Still looking for help?
Loading
Configuring a Service Principal Name (SPN) for Agentless DSSO