<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UhxSAFOkta Classic EngineAdministrationAnswered2024-03-25T23:41:55.000Z2017-05-14T09:00:58.000Z2017-05-17T05:23:44.000Z

th7vu (th7vu) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
OktaService account maps to SPN?
Hello,

 

After following standard procedure to deploy the Okta DSSO agent on Win 2012 R2, the IWA web application gets deployed on IIS and runs within IIS "application pool" of OktaIWA. This application pool runs under identity of OktaService, the service account created/selected during agent installation.

 

Question:

Isn't the OktaService user supposed to map to an SPN of HTTP/<DNS name for IWA webapp>?

When I do a setspn -l <domain>\OktaService, I get an empty list. 

 

Please comment.

 

Thanks,

Jatin

  • 2 answers
  • 1.06K views

  • behrouz.ghorchi1.4454685458921702E12 (Okta, Inc.)

    Hello Jatin,

    On each IWA server you need to use Setspn to set the Service Provider Name so Kerberos can function with the Global Redirect.

    The serviceaccount below is the serviceaccount assigned to the application pool associated with the IIS service.

    setSPN -s HTTP/<hostname> <domain>\<serviceaccount>

    setSPN -s HTTP/<hostname>.<fqdn> <domain>\<serviceaccount>

     

    Some explanation of the SetSPN stuff:

    https://blogs.technet.microsoft.com/tristank/2006/05/08/3-simple-rules-to-kerberos-authenticationdelegation-spns/

     

    https://msdn.microsoft.com/en-us/library/ms191153.aspx

     

    If the SPN checks out and the Microsoft Network monitor tool is non-specific, I would check the kerb header size maybe? It could be exceeding the max allowed limit or max token size in IIS... this would truncate the kerb token and result in a 401.

     

    Behrouz Ghorchi

    Tier 2 Technical Support Engineer

    Okta Global Customer Care

    Expand Post

  • th7vu (th7vu)

    Thanks Behrouz.

    Can you please elaborate some practical ways in which the Okta DSSO global redirect URL feature can be made use of? There seems to be very little documentation on this.

     

    Regards,

    Jatin
    Expand Post
This question is closed.
Loading
OktaService account maps to SPN?