The Microsoft November 2022 rollup inadvertently created an issue in which it invalidated some existing Kerberos signatures under certain circumstances.
Specifically, Microsoft included KB5020805 as part of the contents of the November 2022 cumulative patch. This patch specifically addresses Kerberos and Netlogon hardening in Windows environments.
To determine if the environment is affected, please look for the following MS patches:
Okta is aware of the issue and understands this may impact the ability to access services. Note, however, that this issue is a direct result of the Microsoft patch and not a result of any changes in Okta. We are providing this document to supplement the notification sent by Microsoft.
This issue will present the following errors in the Okta AD Agent log:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) --- End of inner exception stack trace --- at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context) at Okta.DirectoryServices.Protocols.SDSPWrapper.GetRootDse() at Okta.DirectoryServices.Protocols.SDSPWrapper.GetDefaultDomainController(ADSITarget target). Caused by System.Security.Authentication.AuthenticationException received with message The user name or password is incorrect. Source=System.DirectoryServices InnerException=System.Runtime.InteropServices.COMException (0x8007052E): The user name or password is incorrect. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName). Caused by System.Runtime.InteropServices.COMException received with message The user name or password is incorrect. Source=System.DirectoryServices InnerException=. 2022/11/16 17:10:41.957+02:00 Error -- OKTA-GW(8) -- The target domain cannot be contacted. Retrying in 30 seconds. 2022/11/16 17:10:41.957+02:00 Error -- OKTA-GW(9) -- The target domain cannot be contacted. Retrying in 30 seconds. 2022/11/16 17:11:12.410+02:00 Info -- OKTA-GW(9) -- Checking if the target domain can be contacted 2022/11/16 17:11:12.410+02:00 Debug -- OKTA-GW(9) -- Trying to connect to the default DC 2022/11/16 17:11:12.410+02:00 Info -- OKTA-GW(8) -- Checking if the target domain can be contacted 2022/11/16 17:11:12.410+02:00 Error -- OKTA-GW(9) -- An Active Directory Domain Controller for the target domain could not be contacted. Reason: Unable to find DC in the domain
- Kerberos signatures
- AD Agent
The root cause for this is due to the Microsoft patch KB5020805 invalidating Kerberos signatures. Below are links to the Microsoft KB release, the acknowledgment of service disruption from Microsoft, and its resolution.
In an effort to proactively address possible scenarios where the Okta AD Agent becomes disconnected and/or starts flapping (connecting/disconnecting), we want to provide the following information.
From research and testing, as well as from numerous Support cases already resolved, it has been confirmed that the solution provided by Microsoft will restore the connection between the Okta AD Agents and the domain.
Microsoft has released an out-of-band update as of November 17, 2022, which resolves the issue.
