<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Troubleshooting Failed Delegated Authentication Attempts
Jul 15, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article explains the meaning of various Active Directory (AD) error codes logged in the AD Agent logs during Delegated Authentication attempts.

Applies To
  • Directories
  • Active Directory (AD)
  • LDAP
  • Delegated Authentication
Solution

When a user logs into Okta via Active Directory or LDAP via Delegated Authentication, an event labeled "Authenticate user via AD agent" or "Authenticate user via LDAP agent" is generated in the System Logs. 

If the login attempt fails, the result will be shown with the label "Failure" followed by an error description.

User Authentication via LDAP failed

Some Active Directory failures will list the failure cause as Login failed.

User Authentication via AD Agent failed

These events should contain the error produced by the Domain Controller that handled the authentication request. Expand Event > System > DebugContext > DebugData. The ErrorCode listed will correspond to an Active Directory authentication error code.

System Logs Event

Some of the most common error codes for authentication are:

  • 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)

NOTE: Returns only when presented with a valid username and password/credential.

  • 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)

NOTE: Returns when the username is valid but the password/credential is invalid. 

  • 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.) 

NOTE: Returns only when presented with a valid username and password/credential.

  • 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.) 

NOTE: Returns only when presented with a valid username and password/credential.

  • 1787 - ERROR_NO_TRUST_SAM_ACCOUNT (The security database on the server does not have a computer account for this workstation trust relationship.)
  • 1789 - ERROR_TRUSTED_RELATIONSHIP_FAILURE  (The trust relationship between this workstation and the primary domain failed.)
  • 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.)  

NOTE: Returns only when presented with a valid username and password/credential.

  • 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on for the first time.)

NOTE: Returns only when presented with a valid username and password/credential.

  • 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)

NOTE: Returns even if an invalid password is presented.

 

NOTE: These error codes are not returned by Okta. They reflect the response of the Active Directory Domain Controller that validated the credentials during the user's login via Delegated Authentication. A full list of these codes can be found below: 

 

Recommended content

Still looking for help?
Loading
Troubleshooting Failed Delegated Authentication Attempts