<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y0000ALqn0mSQBOkta Classic EngineAdministrationAnswered2026-06-17T17:37:59.000Z2021-01-28T07:09:56.000Z2026-06-17T17:37:59.000Z
I want to know why my iwa server authentication fails

Hi,​

I'm trying okta device trust on a windows PC, but I'm getting an error from the IWA server set up in IIS and I'm not able to authenticate. Looking at the event viewer, the following error log appears.

① Error generating Okta JWT claims for this device. Please verify the Okta IWA server in the URL'https: // {iwa-server} /IWA/devicetrust.svc/api/device-trust/oauth2/v1/device-assertion' and Make sure it is the correct version (1.10.3 and newer). Also verify that the HTTP (S) protocol in the URL matches the IIS configuration on the IWA server. For more information, please check the'Okta Single Sign On' event log on the Okta IWA Server.

② Exception running the Device Trust client for user NT AUTHORITY \ NETWORK SERVICE: System.Net.WebException: The remote server returned an error: (401) Not allowed.

I also reviewed the settings on the IIS IWA page for troubleshooting, but I don't know the cause. Please tell me how to resolve.


  • u2idq (u2idq)

    I was running into the same problem in our test environment. If anyone is still having the issue, try this out.

     

    Verify that your test accounts are in the same domain as your IWA server(s). For my use case, we have our test AD environment under a different domain and we have our test o365 environmnet in another so I was changing the UPN of my test accounts to match the O365 test domain for some testing there.

     

    This appeared to be the cause of the "401 unauthorized" error because the user is trying to talk to the IWA server which is on a different domain. I created a new test account and left the upn as the default test domain and then I was able to generate the okta user cert with the new test account just fine. Hope that helps.

    Expand Post
    Selected as Best
  • User15932079460456513078 (Vendor Management)

    Hi,

     

    I was able to verify and based on you description you are running the following version 1.10.3 and Device trust started to be supported until IWA versio 1.11.0.

     

    See the following:

     

    Okta SSO IWA Web App version history

    https://help.okta.com/en/prod/Content/Topics/Settings/Version_Histories/Ver_History_SSO_IWA_Agent.htm

     

     

    If by any chance after you perform the upgrade of the IWA agent the issue persist you may need to create a new case with the support team so we can check system logs as well as backend logs.

    Expand Post
  • xqjc7 (xqjc7)

    Did you ever get an answer for this, im having the same problem.

  • elnsf (elnsf)

    I am having the similar problem after installing 1.13.2 agent. Please share if you found any information about it.

  • u2idq (u2idq)

    I was running into the same problem in our test environment. If anyone is still having the issue, try this out.

     

    Verify that your test accounts are in the same domain as your IWA server(s). For my use case, we have our test AD environment under a different domain and we have our test o365 environmnet in another so I was changing the UPN of my test accounts to match the O365 test domain for some testing there.

     

    This appeared to be the cause of the "401 unauthorized" error because the user is trying to talk to the IWA server which is on a different domain. I created a new test account and left the upn as the default test domain and then I was able to generate the okta user cert with the new test account just fine. Hope that helps.

    Expand Post
    Selected as Best
This question is closed.
Loading
I want to know why my iwa server authentication fails