Okta and ADSI Skip to main content
https://support.okta.com/help/answers?id=906f0000000xzl5iao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Patrick CesardPatrick Cesard 

Okta and ADSI

Hello.

Does Okta use ADSI to check a user's password in AD when using AD delegated authentication? How is that API call secured?
Brian KoBrian Ko (Okta, Inc.)

Hi Patrick, 

On a high level, Okta forwards the authentication to your domain controller.  The domain controller authenticates the user and Okta receives the response.  This process can be seen when you look at the AD Agent logs, which tells you which domain controller the authentication attempt was sent to and the response received.  

We hope that answers your question!

Patrick CesardPatrick Cesard
Thx Brian. What protocol does Okta use to forward the authentication to the AD DC? I assume the request goes from Okta to the AD Agent then to the AD DC?
api-workday api-workdayapi-workday api-workday
Hi Patrick,

When i've watched the wire between my AD Agent and DC it is Kerberos for delegated authentication, KPassd for password changes and LDAP for queries with GSSAPI KRB5 inside of SASL'd binds.

-Matt
Patrick CesardPatrick Cesard
Thx Matt. What did you see for the connection from Okta to the AD Agent? Is it GSSAPI as well? What ports do the AD Agent requires in order to receive this communication?
 
api-workday api-workdayapi-workday api-workday
Okta to the AD Agent is actually AD Agent to Okta.

the AD Agent polls Okta over HTTPS (TLS / standard port 443) collecting jobs and posting responses.

With this model there is actually no requirement to open ports from Okta->AD Agent but you do need to allower outbound HTTPS or provide a proxy server for the AD Agent to communicate out through.

-Matt
Patrick CesardPatrick Cesard
Thx Matt. So when a user logs into Okta, the authentication is forwarded to the AD DC via the AD Agent. Wouldn't that require Okta to AD Agent communication?
api-workday api-workdayapi-workday api-workday
Hi Patrick, not in the polling model that is used.

Basically the AD Agent is constantly polling Okta for tasks. It reaches out and grabs a task returning immediately if it is there or stalling for a moment if one isn't immediatley waiting after a sane period the request for a task will return with no actions waiting and then reaches out again to look for waiting tasks.

A peek at the AD Agent logs in debug mode:

2015/11/13 23:04:52.652 Debug -- myADAgent(10) -- GET: <bigSpecialUrl>
2015/11/13 23:04:52.652 Debug -- myADAgent(8) -- Finished Request
2015/11/13 23:04:52.652 Info -- myADAgent(8) -- Next action = NONE
2015/11/13 23:04:52.652 Info -- myADAgent(8) -- Retrieving next action
2015/11/13 23:04:52.652 Debug -- myADAgent(8) -- GET: <bigSpecialUrl>
2015/11/13 23:04:59.074 Debug -- myADAgent(11) -- Finished Request
2015/11/13 23:04:59.074 Info -- myADAgent(11) -- Next action = NONE
2015/11/13 23:04:59.074 Info -- myADAgent(11) -- Retrieving next action
2015/11/13 23:04:59.074 Debug -- myADAgent(11) -- GET: <bigSpecialUrl>
2015/11/13 23:05:02.043 Debug -- myADAgent(9) -- Finished Request
2015/11/13 23:05:02.043 Info -- myADAgent(9) -- Next action = Okta.Api.UserAuthAction
2015/11/13 23:05:02.043 Info -- myADAgent(9) -- Retrieving next action
2015/11/13 23:05:02.043 Debug -- myADAgent(9) -- GET: <bigSpecialUrl>
2015/11/13 23:05:02.058 Debug -- myADAgent(5) -- Authenticating user myAccount@devqa.myprev.local
2015/11/13 23:05:03.136 Debug -- myADAgent(5) -- Processing USER_AUTH action (<stuff>) finished,
2015/11/13 23:05:03.136 Debug -- myADAgent(5) -- Sending action result (SUCCESS) for action USER_AUTH (<stuff>)
2015/11/13 23:05:03.136 Debug -- myADAgent(5) -- POSTing ActionResult to Okta. <Result>
2015/11/13 23:05:03.136 Debug -- myADAgent(5) -- POST: <bigSpecialUrlPost>
2015/11/13 23:05:03.965 Debug -- myADAgent(5) -- Finished Request
2015/11/13 23:05:03.980 Debug -- myADAgent(5) -- Data post finished, (executionTime=00:00:00.8346143)
2015/11/13 23:05:03.980 Debug -- myADAgent(5) -- Sending result for USER_AUTH action (<stuff2>) finished
2015/11/13 23:05:08.793 Debug -- myADAgent(8) -- Finished Request
2015/11/13 23:05:08.808 Info -- myADAgent(8) -- Next action = NONE
2015/11/13 23:05:08.808 Info -- myADAgent(8) -- Retrieving next action
2015/11/13 23:05:08.808 Debug -- myADAgent(8) -- GET: <bigSpecialUrl>
2015/11/13 23:05:08.918 Debug -- myADAgent(10) -- Finished Request
2015/11/13 23:05:08.918 Info -- myADAgent(10) -- Next action = NONE
2015/11/13 23:05:08.918 Info -- myADAgent(10) -- Retrieving next action
2015/11/13 23:05:08.918 Debug -- myADAgent(10) -- GET: <bigSpecialUrl>
2015/11/13 23:05:15.324 Debug -- myADAgent(11) -- Finished Request
2015/11/13 23:05:15.324 Info -- myADAgent(11) -- Next action = NONE
2015/11/13 23:05:15.324 Info -- myADAgent(11) -- Retrieving next action
2015/11/13 23:05:15.324 Debug -- myADAgent(11) -- GET: <bigSpecialUrl>
Patrick CesardPatrick Cesard
Thx Matt. Ok so if I understand this correctly, Okta will have a request (to authenticate a user) waiting in a queue, the AD Agent polls Okta, sees the request in the queue, picks it up, processes the request, and then returns the result to Okta,, correct?
Also I believe Okta stores the user's AD password in its cloud database, so that a user can still authenticate if the AD Agent is not running for some reason, correct?