Error: Okta user is already assigned to Active Directory user- User not able to access OKTA Skip to main content
https://support.okta.com/help/answers?id=906f0000000dfdvia4&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Sandesh JainSandesh Jain 

Error: Okta user is already assigned to Active Directory user- User not able to access OKTA

User is facing the issue to access the OKTA account, but the account status is active in OKTA and AD as well. Reset password in AD couldnt fix the issue.

Logs show - INVALID Credentials
Adam LoweAdam Lowe (Okta, Inc.)
Hello Sandesh.  There are many reasons why you might encounter a login issue like this, and I'd be happy to provide some feedback on things you can check.

First, I recommend confirming the user is still AD mastered and has not been disconnected from AD, making them Okta mastered.  You can do this by navigating to Directory > People, and then clicking the user to view their profile.  You will want to ensure the profile states, "Profile mastered by Active Directory".  Alternatively, you can also navigate to Directory > Directory Integrations > Active Directory > People, and be sure you can locate the user account there.  If the user is no longer showing as AD mastered, you will need to import the account from AD into Okta.

If the account is AD mastered and you're still receiving an error about invalid credentials, try testing the credentials outside of Okta.  For example, can you login to a domain joined PC with that account and using the same password?  If this is successful, we know the AD account itself is good.

There's also a tool in Okta to test delegated authentication that may be helpful.  You can find this tool under Security > Authentication > Active Directory > Test Delegated Authentication.  When you use this tool, a popover window will appear where you can enter the AD username and password to confirm if authentication is successful.