Okta IWA is a lightweight Internet Information Services (IIS) web agent that enables Desktop Single Sign On (DSSO) on the Okta service. Desktop SSO allows users to be automatically authenticated by Okta and any apps accessed through Okta whenever they sign into the Windows network. The Okta IWA Web agent uses Microsoft's Integrated Windows Authentication (IWA) and ASP.NET to authenticate users from specified gateway IPs.
In some cases, users might be prompted for Okta credentials even though IWA DSSO is up and running.
This article present a few reasons that might cause users to be unable to log in automatically.
- Okta Classic Engine
- Directories
- IWA Desktop Single Sign On (DSSO)
- Active Directory Server
Potential Causes:
- The IP is not being routed for IWA authentication.
- The user does not exist in Okta.
- Browsers are not properly configured to work with IWA.
- Security apps are blocking access to the server.
- Issues/misconfiguration on the server side.
Based on the cause of the issue, it might get resolved by one or some of the following:
- The IP is not being routed for IWA authentication.
Okta redirects authentications through IWA only if the user's IP address is in a zone configured for IWA authentication.
-
- Log in to the Okta org, click Admin, and navigate to Security > Identity Providers > Routing Rules.
-
- Make sure that there is a rule that directs specific networks to the IWA server for authentication.
- The user does not exist in Okta.
If the user who is logged in to the machine does not exist in Okta, they will be prompted to authenticate in Okta since the server cannot find the appropriate account for the user on the Okta Org. To resolve this, either enable JIT provisioning or run an import from AD to Okta so the user gets imported.
- Browsers are not properly configured to work with IWA.
There are specific settings for browsers to work with Okta.
-
- Make sure that all Okta domains and subdomains as well as the IWA URLs are allowlisted within Internet Options in Windows. Add the desired Okta tenant URL and the URL of the server that hosts the Desktop SSO IWA Web agent to the Local Intranet zone. Most organizations set up a Group Policy to configure this setting in their users' Internet options.
- NOTE: Adding these sites to the Trusted Sites zone is not sufficient.
- On the Internet Options section, click the Advanced tab, scroll down to the Security settings, and make sure Enable Integrated Windows Authentication is selected.
- Enhanced Mode in Internet Explorer might cause IWA not to work properly.
- Full browser configuration details can be found in Install and configure the Okta IWA Web agent for Desktop Single Sign-on, under the Configure Browsers section.
- Make sure that all Okta domains and subdomains as well as the IWA URLs are allowlisted within Internet Options in Windows. Add the desired Okta tenant URL and the URL of the server that hosts the Desktop SSO IWA Web agent to the Local Intranet zone. Most organizations set up a Group Policy to configure this setting in their users' Internet options.
- Security apps are blocking access to the server.
Some environments have security apps or firewalls that block access to external networks. In this case, check with the IT security team and allowlist Okta domains and IPs on the server's security applications. The full Okta IP allowlist documentation can be found in Allow access to Okta IP addresses.
- Issues/misconfiguration on the server side.
Another problem that can cause this issue is that the token (while trying to log in using IWA) may not be reaching the IWA web app on the server in the 30 seconds necessary to validate the token. It might be due to some latency issues, either from the server itself or due to the region those users are located in not having a fast enough connection to reach the IWA server. If there is a global load balancer configured, it may also be due to one (or more) servers being unresponsive, while another (or more) are responsive.
-
- Checking the user's internet connection and the server's connectivity is always helpful.
- Use the following query to find all unsuccessful IWA attempts in the system log:
eventType eq "user.authentication.auth_via_iwa" and outcome.result eq "FAILURE"
NOTE: If the authentication attempt does not reach the IWA URL/Server, it will not be stored as an IWA unsuccessful/successful attempt in the system logs.
