Google Chrome version 81 and later disables NTLM and Kerberos authentication by default in incognito and guest sessions. This prevents Okta Desktop Single Sign-On (DSSO) from functioning in Agentless Desktop Single Sign-On (ADSSO) or Integrated Windows Authentication (IWA) modes. Administrators must modify the browser policy settings to re-enable ambient authentication for private sessions.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Desktop Single Sign-On (DSSO)
• Integrated Windows Authentication (IWA)
• Agentless Desktop Single Sign-On (ADSSO)
• Google Chrome
• Microsoft Edge

Google Chrome version 81 and later disables NTLM and Kerberos authentication by default in incognito and guest sessions. Microsoft Edge's behavior is identical because it utilizes the same Chromium engine. As a result, ambient authentication fails in these modes, which prevents Okta from completing DSSO authentication.

How is ambient authentication enabled for private browser sessions?

This setting is managed by the browser's AmbientAuthenticationInPrivateModesEnabled policy. Perform the following steps to verify the current status of the ambient authentication policy in the browser.

1. For Google Chrome, enter chrome://policy/ in the address bar.
2. Select the Show policies with no value set checkbox.
3. Filter the results by entering AmbientAuthenticationInPrivateModesEnabled.
4. For Microsoft Edge, enter edge://policy/ in the address bar.
5. Select the Show policies with no value checkbox.
6. Filter the results by entering AmbientAuthenticationInPrivateModesEnabled.

If the policy is not configured, ambient authentication is enabled only in regular sessions.

Apply the appropriate value to the AmbientAuthenticationInPrivateModesEnabled policy to configure ambient authentication behavior for Google Chrome and Microsoft Edge.

• 0: Enables ambient authentication in regular sessions only.
• 1: Enables ambient authentication in incognito and regular sessions.
• 2: Enables ambient authentication in guest and regular sessions.
• 3: Enables ambient authentication in regular, incognito, and guest sessions.

NOTE: Contact the browser vendor or consult the vendor's official documentation for the respective web browser for further assistance with policy configuration.