Okta password has expired with delegated auth (new login experience) Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0b1iak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Sutton GraterSutton Grater 

Okta password has expired with delegated auth (new login experience)

In the last few days, users in our Okta Preview environment have been unable to change their AD passwords via Okta.  We're using delegated auth.  If a user's password has expired or an admin has said "user must change password at next logon" the user sees the following when attempting to sign in and change the password.

User-added image

The message is displayed as if it will not accept the "old password" because it has been expired.

If the user is able login in to Okta (because an admin has set a password for them without requiring a change, or the user just wants to change their password) the user receives a message saying that the new password does not meet the password requirements.  The message seen inside the Okta logs looks like this:

User-added image

Nothing I'm aware of has changed in AD at all.  One thing I know that has changed on the Okta side is that I requested the "new login experience" be turned on in this environment (which may bring along the new "Security > Policies" section?)  I'm not sure what else comes along for the ride with this feature.  I've contacted support but haven't made it very far yet.  I'm hoping someone else can send a suggestion or two my way.

Here is what is shown in the admin log:
"The AD AGENT" encountered an error performing a Directory Invoke: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)

I saw in today's release notes a mention of something semi-related:

OKTA-85719 – When the New Okta Sign-in Experience is enabled, users attempting to change an AD password did not receive relevant error messages.

I've also been inquiring with support regarding the details behind the EA AD Agent version.  The release notes show the following:

3.4.1  This release allows admins to enforce Active Directory's password policy for end users who have forgotten their password. 2016.04

I'm not clear on what is changed here, or what was broken previously.

The only other thing i want to mention is that the AD Admin and I may have found that it is in some way related to the timestamp in AD regarding password last set.

Thanks for any help in advance,
Sutton
 

Jaypee ManansalaJaypee Manansala (Okta)
Hi Sutton,

Thanks for submitting your inquiry in Okta Community.

This issue "The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements" have already been fixed on Okta Release 2016.07 patched.

Please let me know if the issue still persists or need any futher assistance on this. Thank you.

Best,

JP 
Sutton GraterSutton Grater
Thanks JP,

Yes this was resolved by patches on the Okta side.  Thank you!

Sutton