Okta Agentless Desktop Single Sign-On Fails After Setting AES Encryption on Service Account
Last Updated:
Overview
Okta Agentless Desktop Single Sign-On (ADSSO) requires enabling Advanced Encryption Standard (AES) 128 and 256 on the Service Principal Name (SPN) service account in Active Directory. If the SPN initially lacks the correct AES encryption settings, correcting the settings later may not automatically resolve the issue because the required encryption settings will not be applied until the account password is rotated. Resetting the service account password manually in Active Directory and validating it in the Okta Admin Console resolves this issue.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Agentless Desktop Single Sign-On (ADSSO)
Cause
When creating the Agentless DSSO service account and setting the SPN without the correct AES encryption settings applied, correcting the AES encryption settings later may not automatically resolve the issue as the required encryption configuration will not be applied until the account password is rotated. Consequently, Active Directory continues to issue Kerberos tokens with RC4 encryption.
Solution
How is the Agentless Desktop Single Sign-On encryption issue resolved?
Reset the service account password in Active Directory and update the password in the Okta Admin Console.
- Reset the Agentless DSSO SPN service account password manually in Active Directory.
- Open the Okta Admin Console.
- Go to Security > Delegated Authentication > Agentless Desktop SSO.
- Update the service account password with the newly reset value to validate the configuration.
