In the last few days, users in our Okta Preview environment have been unable to change their AD passwords via Okta. We're using delegated auth. If a user's password has expired or an admin has said "user must change password at next logon" the user sees the following when attempting to sign in and change the password.
The message is displayed as if it will not accept the "old password" because it has been expired.
If the user is able login in to Okta (because an admin has set a password for them without requiring a change, or the user just wants to change their password) the user receives a message saying that the new password does not meet the password requirements. The message seen inside the Okta logs looks like this:
Nothing I'm aware of has changed in AD at all. One thing I know that has changed on the Okta side is that I requested the "new login experience" be turned on in this environment (which may bring along the new "Security > Policies" section?) I'm not sure what else comes along for the ride with this feature. I've contacted support but haven't made it very far yet. I'm hoping someone else can send a suggestion or two my way.
Here is what is shown in the admin log:
"The AD AGENT" encountered an error performing a Directory Invoke: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)
I saw in today's release notes a mention of something semi-related:
OKTA-85719 – When the New Okta Sign-in Experience is enabled, users attempting to change an AD password did not receive relevant error messages.
I've also been inquiring with support regarding the details behind the EA AD Agent version. The release notes show the following:
3.4.1 This release allows admins to enforce Active Directory's password policy for end users who have forgotten their password. 2016.04
I'm not clear on what is changed here, or what was broken previously.
The only other thing i want to mention is that the AD Admin and I may have found that it is in some way related to the timestamp in AD regarding password last set.
Thanks for any help in advance,