
サムヨン崔.59901 (Customer) asked a question.
Hi,
I'm trying okta device trust on a windows PC, but I'm getting an error from the IWA server set up in IIS and I'm not able to authenticate. Looking at the event viewer, the following error log appears.
① Error generating Okta JWT claims for this device. Please verify the Okta IWA server in the URL'https: // {iwa-server} /IWA/devicetrust.svc/api/device-trust/oauth2/v1/device-assertion' and Make sure it is the correct version (1.10.3 and newer). Also verify that the HTTP (S) protocol in the URL matches the IIS configuration on the IWA server. For more information, please check the'Okta Single Sign On' event log on the Okta IWA Server.
② Exception running the Device Trust client for user NT AUTHORITY \ NETWORK SERVICE: System.Net.WebException: The remote server returned an error: (401) Not allowed.
I also reviewed the settings on the IIS IWA page for troubleshooting, but I don't know the cause. Please tell me how to resolve.

I was running into the same problem in our test environment. If anyone is still having the issue, try this out.
Verify that your test accounts are in the same domain as your IWA server(s). For my use case, we have our test AD environment under a different domain and we have our test o365 environmnet in another so I was changing the UPN of my test accounts to match the O365 test domain for some testing there.
This appeared to be the cause of the "401 unauthorized" error because the user is trying to talk to the IWA server which is on a different domain. I created a new test account and left the upn as the default test domain and then I was able to generate the okta user cert with the new test account just fine. Hope that helps.