<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Active Directory Agent Version 3.17 and Earlier Shows Disconnected While Running
Mar 27, 2026
Directories
Overview

Okta Active Directory (AD) agents version 3.17 and below show as disconnected in Okta while still running on the server. This issue occurs when the Okta Super Administrator account used to install the agent is inactive or lacks Super Administrator privileges, which revokes the agent API token privileges. Resolve this issue by reactivating the administrator account, restoring its privileges, or reinstalling the agent using an active Super Administrator account.

 

When this issue occurs, the Okta AD Agent Management Utility shows the following status on the agent server:

 

The agent is running.

 

Okta AD Agent Management Utility - The agent is running 

 

However, imports fail with the following error:

 

No connected Agents found to perform import.

 

Error Message

 

Delegated authentication attempts fail with the following error:

 

Delegated authentication request was not processed. No agents are connected to Okta

 

Error message

 

The AD agent logs display one of the following errors:

 

Response from server: 403 FORBIDDEN "Forbidden"

 

Response from server: 401 UNAUTHORIZED "Unauthorized"

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD) Imports
  • Okta AD Agent (version 3.17 and below)
  • Delegated Authentication
  • API Token
Cause

The Okta Super Administrator account used to install the Okta AD agent is inactive or lacks Super Administrator privileges. This revokes the agent API token privileges.

 

The Okta AD agent logs are located on the AD agent server at C:\Program Files(x86)\Okta\Okta AD Agent\logs.

  • The logs display Response from server: 401 UNAUTHORIZED "Unauthorized" if the Okta Super Administrator account is inactive.
  • The logs display Response from server: 403 FORBIDDEN "Forbidden" if the Okta Super Administrator account lacks Super Administrator privileges.

 

The API token status under Security > API > Tokens appears active unless an administrator deactivates or uninstalls the agent. The token remains valid but lacks the required privileges to function.

Solution

How is the disconnected Active Directory agent issue resolved?

Perform these steps to restore AD agent functionality by fixing the administrator account or reinstalling the agent:

  1. Verify the Okta super administrator account used to install the AD agent has an active status and holds the Super Administrator role.

  2. Reactivate the account or restore the Super Administrator role to restore functionality to the AD agent.

  3. Reinstall the Okta AD agents using a different, active Okta super administrator account if restoring privileges fails or the original administrator account no longer exists. Reinstalling the agent creates a new API token for agent authentication.

 

Use the following resource to reinstall the Okta AD agent: Install the Okta Active Directory agent.

 

NOTE:

  • Using a dedicated service account with Okta Super Administrator privileges is the best practice for validating AD agent versions 3.17 and earlier.
  • This article applies only to AD agent version 3.17 and below. AD agent version 3.18 and later no longer use API tokens and do not depend on the Super Administrator who installed the agent being active.

 

Related References

Recommended content

Still looking for help?
Loading
Okta Active Directory Agent Version 3.17 and Earlier Shows Disconnected While Running