This article addresses Integrated Windows Authentication (IWA)/Desktop Single Sign On (DSSO), which fails with the following error when SSL certificates are placed in the personal store.
403 error code
It highlights the symptoms of this issue and offers a resolution for users who are experiencing it.
Symptoms:
- When IWA/DSSO is disabled, device trust works.
- When the device trust certificate is removed, IWA/DSSO works.
- IWA
- Desktop Single Sign On (DSSO)
- Device Trust
The root cause of this issue is the SSL certificate setting for client certificates in IIS, which is set to Accept by default. This setting prevents IWA/DSSO/Device Trust from working properly with SSL certificates in the personal store, resulting in a 403 error code.
To resolve this issue, change the SSL certificate setting in IIS from Accept to Ignore. This allows IWA/DSSO/Device Trust to function properly with SSL certificates in the personal store. Follow these steps to modify the SSL certificate setting in IIS:
-
Open Internet Information Services (IIS) Manager.
-
Navigate to the website where the SSL certificate is installed.
-
Select the website and open SSL Settings.
-
Change the SSL setting for client certificates from Accept to Ignore.
-
Save the changes and restart IIS.
-
After making these changes, test IWA/DSSO/Device Trust to confirm that the issue has been resolved.
NOTE: If problems persist, contact Okta Support for further assistance.
