Update AD password and now all SWA apps broke Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmfoqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jeremy HallamJeremy Hallam 

Update AD password and now all SWA apps broke

Hi all,
I am just going through the Okta setup process and have started adding applications.  I have a number of SAML ones as well as SWA.  All my SWA are set up where the "Admin sets the username and the password is the Okta Password".  The username/password for the SWA apps are our AD credentials.and we sign into our Okta Dashboard with our AD credentials.  The issue that I am having is that I changed my AD password and it broke all my SWA apps.  The IWA is functioning correctly and I am auto-logged in when I am on my network. All SAML apps are fine.  It just does not appear to be passing the new password for the SWA apps.  I verified this by logging directly into the apps with my new AD password and it works fine.  I also verified that my Okta password updated with my AD one by turning off Desktop SSO and manually signing in to my Okta dashboard with my new password. What am I missing?
Jeremy HallamJeremy Hallam
Now some more interesting behavior.  After I turned off the IWA Desktop SSO feature, logged in to my dashboard with the new AD password, turned it back on and now my SWA apps are working.  They were broke for a good 3 hours.  Any idea what caused this? I can't have a 3 hour lag in password updates or tell my 400+ users to jump through hoops everytime a password is changed.  Thanks
Parth SwadasParth Swadas
Hi @Jeremy,

Please see some points from my end :
  • As you're using delegated authentication to AD and IWA, OKTA does not remember the AD Password and users are auto logged-in to OKTA using Desktop SSO.
  • For SWA apps, if you change AD password then you need to manually login to OKTA with new AD password using /login/default.
For your test case (After I turned off the IWA Desktop SSO feature, logged in to my dashboard with the new AD password, turned it back on and now my SWA apps are working)
  • You stoppped IWA.
  • So users had to manually enter the AD Password.
  • Now OKTA has pushed this password with all SWA app
  • Ths is reason all SWA apps started working after you disabled IWA and enforced users to login to OKTA with password
AD1 Agent1AD1 Agent1
Parth,
thanks for the explanation. Would a setpassword via the API be equivalent to a logout / login and would the SWA application passwords be updated during such an operation?