b4or6 (b4or6) asked a question.
Issue: Any success with Agentless Desktop SSO?
Hi Community,
I'm setting up Agentless SSO from my company, but our team is hard-stuck on this page.
I've followed OKTA's KB's and wanted to see if anyone else was running into this issue.
Troubleshooting Steps:
I've double-checked our SPN for the service account and made sure the local intranet includes our https://<myorg>.kerberos.okta.com info.
Maybe there are OKTA IP's that need to be whitelisted on the firewall? Curious what's missing.
Image is not available
What browser are you using? I had some issues with Chrome where we had to change key registry in order to whitelist both the kerberos.okta.com address on the SPN entry when you configure the service account, and the standard login address.
Interesting... we are using Chrome as well. Could you point me to the registry fix or KB you used to find your solution?
https://support.okta.com/help/s/article/Agentless-DSSO-is-not-working-on-Chrome
We've added the two chrome related registry keys, but agentless DSSO still fails. The logs show 'dssoPreCheck failed' and the login then fails over to IWA.
The kerberos fqdn is in the intranet list and IWA works without issue.
I've yet to find any reference to that error.
Tested with Chrome, IE 11 and Edge, all fail.
We actually got Edge working....you have to add the org.kerberos.okta.com address to IE's trusted internet zone, which we did through a GPO, and set it to 2. You also have to set the SPN to reference your okta service account, which I did from the command prompt of my Okta preview Windows Server running the agent.
I am also running into the same issue. Did anyone solve this with Chrome?
The name of the registry key is case sensitive. So if you have AuthServerWhiteList instead of AuthServerWhitelist, (Notice the "L") then it won't read the registry key. Or you may have a space at the end of the key name. You can test it by launching chrome by command line and see if you get different results. Also remember that Chrome uses IE's trusted sites by default, so you can always add it there instead.
Chrome.exe -auth-server-whitelist="*.oktapreview.com" -auth-negotiate-delegatewhitelist="*.oktapreview.com"
Someone already has an update? I have edited the Registry Keys for Chrome
AuthServerWhitelist = org.kerberos.okta-emea.com
But still kerberos windows pops up
Same issue in our company and we've been going back and forth with support trying to figure this one out after having triple checked the specific registry keys for Chrome and the Site to Zone assignments for IE, which we have pushed out via GPO. Edge works fine and you actually see the URL redirecting momentarily to https://org.keberos.oktapreview.com and then takes you to the MFA page instead of a login prompt. Both IE and Chrome however are still popping up with that annoying authentication window which ends up timing out anyway after a few seconds but the problem still persists. Was Agentless Desktop SSO thoroughly tested with Chrome by Okta...I'm starting to wonder????
Did you get a resolution for this? I have the same issue with that login window popping up. I have double checked everything and reconfigured everything 3 times. I'm not sure what I'm missing?