Question with AD Agent and SPN for Kerberos Skip to main content
https://support.okta.com/help/answers?id=906f0000000xzjeia4&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
AD AgentAD Agent 

Question with AD Agent and SPN for Kerberos

Hello,

I noticed in my event logs that the OktaService account is generating tons of failed logs in my DC/PDC. Looking through the AD Agent install documentation, I noticed there is no mention about setting an SPN for the OktaService account. All users are still able to login and reset passwords and I can import users, so the agent is functioning fine. However, I just have a myriad of failed 4769 event logs in my DC. 

I confirmed that the AD Agent service is running in the services console as a domain account entered during the installation, which is a member of domain admin as instructed in the documentation. When a service is running that is not run by a local service or network service account, the account (domain account) must have a valid SPN to perform Kerberos tasks aka obtaining service tickets on behalf of users.

The implicit SPN HOST/AGENTSERVERNAME is taken by the computer object of the server already as default setup when adding a computer to the domain. I'm trying to find out if there is a separate explicit SPN that needs to be registered with the OktaService account, as I am seeing tons of failures for obtaining service tickets on behalf of the users. 

This would mean the authentication and all other actions performed by the OktaService account is always falling back to NTLM and not using Kerberos. If anyone has an answer to this question, please let me know!
 

Thank you,
Ricky

ThomasThomas (Okta, Inc.) 
A support case has been filed with our technical support team.  We will share the solution here for the community when the solution is validated.

Tom
AD AgentAD Agent
Hi Tom,

Thank you for the follow-up! I actually already had a case for this one and was working with Michael Rucker from level 3 who has been a great help. Case # is 117012.

I actually had the chance to speak with Karl directly at Oktane15 regarding the issue. I created this community post for easier visibility and emailed him referencing this post. I'll wait for Karl to respond!

Thank you!
Ricky
Jatin VaidyaJatin Vaidya
Hello,

Whats the update on this? Is setting of an explicit SPN on OktaService account needed or not?

Thanks,
Jatin