<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Agentless DSSO Not Working After Setting AES Encryption on Service Account
Jun 6, 2025
Directories
Overview
Agentless DSSO requires AES 128 and 256 be enabled on the SPN service account. If this step is missed and fixed afterwards additional steps may be needed.
Applies To
  • Directories
  • Agentless DSSO
Cause

In some cases, when the ADSSO Service Account is created and the SPN is set without the correct AES encryption settings on the service account, just correcting the AES encryption settings will not automatically resolve the issue.
 

ADSSO

Solution

If the AES is enabled on the ADSSO SPN service account that generates the Kerberos tokens and finds that the tokens are still being issued with RC4 encryption, the ADSSO SPN service account password may need to be reset manually. This is because the account password does not automatically rotate, and the current password may have been set previously when AES key generation was not supported.

Once the password is reset in Active Directory, validate the service account password under Security > Delegated Authentication > Agentless Desktop SSO in the Okta Admin Console.

Related References

Recommended content

Still looking for help?
Loading
Agentless DSSO Not Working After Setting AES Encryption on Service Account