<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Active Directory Credential Caching During Agent Disconnection
Mar 23, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

With Delegated Authentication enabled, users sourced from Active Directory (AD) authenticate with Okta using Windows credentials, which are verified in real time by the Okta AD Agent. When a network or agent server failure occurs that leaves all AD agents disconnected, these users may be unable to authenticate to Okta.

To resolve this, Okta stores a hashed value of user attributes and successful authentication events, which allows access via Delegated Authentication for up to five days after a user's last successful authentication via password, even during a complete loss of agent connectivity.

Certain scenarios may affect this ability, including changes to user credentials, lifecycle state modifications, and cache data expiry.

Applies To
  • Active Directory (AD)
  • Okta Active Directory (AD) Agent
  • Delegated Authentication
Cause

When a network or agent server failure disconnects all Okta AD Agents, no agent is available to verify credentials in real-time. This lack of connectivity blocks users from accessing the Okta Dashboard in configurations that do not authenticate via desktop single sign-on.

Solution

How does delegated authentication maintain access during agent failures?

To maintain access during agent disconnections, Okta stores a hashed value combining user profile attributes and successful authentication events. The system uses this value to authenticate the user when no Okta AD Agent remains online.

Follow these steps to ensure AD-sourced users maintain access for up to five days after the last successful login using Delegated Authentication:

  1. Navigate to the Okta Admin Console.

  2. Go to Directory > Directory Integrations > Active Directory > Provisioning > Integration > Delegated Authentication.

  3. Select the Enable delegated authentication to Active Directory checkbox to activate the feature.

 

Review the following requirements and exceptions for credential caching:

  • Users must use a username and password to log in. Desktop single sign-on or other methods of authentication do not trigger credential caching.

  • Delegated Authentication fails if the user is suspended, deactivated, or disabled in the connected AD or Lightweight Directory Access Protocol (LDAP) system.

  • Delegated Authentication fails if the user changes or resets the AD/LDAP password.

  • Delegated Authentication fails after the five-day time-based cache expiry.

Recommended content

Still looking for help?
Loading
Okta Active Directory Credential Caching During Agent Disconnection