I noticed in my event logs that the OktaService account is generating tons of failed logs in my DC/PDC. Looking through the AD Agent install documentation, I noticed there is no mention about setting an SPN for the OktaService account. All users are still able to login and reset passwords and I can import users, so the agent is functioning fine. However, I just have a myriad of failed 4769 event logs in my DC.
I confirmed that the AD Agent service is running in the services console as a domain account entered during the installation, which is a member of domain admin as instructed in the documentation. When a service is running that is not run by a local service or network service account, the account (domain account) must have a valid SPN to perform Kerberos tasks aka obtaining service tickets on behalf of users.
The implicit SPN HOST/AGENTSERVERNAME is taken by the computer object of the server already as default setup when adding a computer to the domain. I'm trying to find out if there is a separate explicit SPN that needs to be registered with the OktaService account, as I am seeing tons of failures for obtaining service tickets on behalf of the users.
This would mean the authentication and all other actions performed by the OktaService account is always falling back to NTLM and not using Kerberos. If anyone has an answer to this question, please let me know!