Okta System Log Does Not Show Users Redirected to Credentials or IWA During Agentless DSSO
Last Updated:
Overview
During the Agentless Desktop Single Sign-on (ADSSO) workflow, Okta redirects users to the default login page before user identification occurs if authentication fails. Because Okta cannot capture the user identity during this early failure, the System Log does not display the user names or IDs for these redirection events. Capturing a client-side network trace helps correlate machine activity with authentication attempts to identify the root cause.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Agentless Desktop Single Sign-on (ADSSO)
Cause
Okta redirects users to the default login page before user identification takes place when authentication fails during the Agentless DSSO workflow. Configuration issues or missing credentials often cause this early failure. Because Okta cannot identify the user at this stage, the System Log omits user names or IDs for these redirection events.
Solution
How to identify and investigate Agentless DSSO redirection events?
Search the System Log for events where the Agentless DSSO flow redirects to the default login page by using the following query.
eventType eq "system.iwa_agentless.redirect"
Review the following example of a System Log capture displaying the redirection event without user identification.
Because the System Log lacks user identification for these events, capture a network trace on the client side with a tool such as Fiddler to correlate machine activity with authentication attempts when investigating ADSSO redirection.
Related References
- Configure browsers for Windows agentless Desktop Single Sign-on
- Active Directory Desktop Single Sign-On known issues
- Resolve Okta Agentless Desktop Single Sign-On 400 Errors
- Okta Agentless Desktop Single Sign-On Fails With Error "Kerberos validation failed with result=GSS_ERROR
- Configuring a Service Principal Name for Agentless Desktop Single Sign-On in Okta
- Okta Agentless Desktop Single Sign-On Fails After Setting AES Encryption on Service Account
- Capture a Fiddler Trace for Okta Customer Support
