Users encounter a 400 error during authentication via Agentless Desktop Single Sign-On (ADSSO). This issue occurs when the Kerberos token size exceeds the processing capacity of Okta. Resolve this issue by determining the size of the Kerberos token for a user and reducing it to a size that Okta can process.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Agentless Desktop Single Sign-On (ADSSO)
- Active Directory (AD)
A Kerberos token can become oversized due to various factors, with group membership and SIDHistory being the most common causes. SIDHistory is relevant when a user object is migrated from one domain to another, increasing the token size beyond Okta's limit of 16 KB.
How is the 400 error during Agentless Desktop Single Sign-On resolved?
Agentless Desktop SSO fails to function if the user's Kerberos token exceeds 16 KB. This size corresponds roughly to membership in 600 security groups, though this does not represent a hard limit, and many factors contribute to the token size. A user who exceeds this limit while attempting the Agentless Desktop SSO flow receives a 400 response and is redirected to the standard sign-in page.
To resolve the 400 error, modify the user object in Active Directory to:
- Reduce the group membership count of the user in Active Directory, or
- Remove the SIDHistory from the user object in Active Directory.
NOTE: Expanding the MaxTokenSize in the Active Directory environment does not enable Okta to process a larger Kerberos token.
