Hello Phil, According to our Developer Information located here: http://developer.okta.com/docs/api/getting_started/error_codes.html "E0000006 You do not have permission to perform the requested action." It sounds like the permissions on the Okta Admin account used for the install are no longer valid. If you know the account, you can check in the Security Tab in the okta admin console to verify permissions, or I recomend a re-install the agent, as we have safe guards to make sure tha accounts that are being used are valid at the time of install.
If you are still having issues please open a support case with our team and we will be able to help. To open a support case give us a call at 1-800-219-0964 or click on the "Help and Training" Link in your Okta Admin console.
Un-installing / re-installing seemed to fix the problem. In the process, the agent was re-authorized and it started servicing AD events again.
How did it get into this state? The API token for the agent didn't change and was still valid for that agent. Nothing else in the environment changed. I was hoping to understand how it got in this state, so we can prevent it from happening again.
I've seen something similar but mine was in a preview environment and I was disabling agents and enabling agents as part of testing. In that case I think the token that had been issued to the agent in question had really been revoked.
Do the system logs indicate any meaningful token lifecycle events?
That said based on the error it seems more like a rights issue than a valid token issue and I cannot see a way through the GUI to manipulate the rights that are assinged to the ad agent user.
The agent had been shut down for a few days as we were troubleshooting something in the environment and wanted to force all "work" to a specific agent. My understanding is the tokens automatically expire after 30 days of inactivity.
We did check the agent logs. That's where we found the E000006 errors and other authorization errors. We tried troubleshooting for a while, but we were time constrained and had to move on. We were fairly confident that a reinstall would resolve the problem. I was curious if anyone (customer or Okta) had more insight into what may have happened.
We didn't see any token lifecycle events in our logs. The token for the particular agent was still valid as far as we could tell. This is what caused the confusion for us. Like I said in my response to Madhu... we shut down this particular agent for a few days to troubleshoot a problem. When we tried to restart the agent, we ended up with a new problem on our hands. :-)
I guess we'll just have to chalk this one up to entropy and let everyone know reinstalling the agent resolves this particular error. Not the most satisfying answer, but it works.