This article explains a potential cause for the below error that appears when trying to set a temporary password for an Active Directory user using Delegated Authentication via the Okta Admin Console.
Update of credentials failed / Password does not meet requirements
- System logs show the password is successfully updated.
- The attribute
pwdLastSetin Active Directory is updated. - The user can log in with the temporary password, but is not prompted to create a new one.
- The User must change password at next logon checkbox is not checked as expected in Active Directory.
When the error states Password does not meet requirements:
- System logs should show the event as a failure.
- The attribute
pwdLastSetin Active Directory is not updated.
- Directories
- Active Directory
- Delegated Authentication
- Password Reset
- Temporary password
Write permissions are not properly set for the attribute pwdLastSet. This means the Active Directory password gets successfully updated, but the account is not set to prompt users to change their password at the next logon. This will leave the temporary password as the permanent password until it is reset again.
Correct the permissions in Active Directory to allow the Okta Service account the ability to write to the attribute pwdLastSet. See About Okta service account permissions or contact Microsoft Support for further assistance.
If the error instead states Password does not meet requirements, ensure that the password policies on the Okta side match or exceed those of the password policy in the AD domain. The temporary passwords are provisioned based on the Okta-side policy, so it is important that they match or exceed the local AD requirements for this functionality to work.
