When a user attempts to log in to Okta using Active Directory (AD) via Delegated Authentication, the authentication may fail when the Active Directory Domain Controller rejects the authentication request and returns an error code.
When this occurs, Okta generates an event in the Okta System Log labeled "Authenticate user via AD agent" with a status of Login Failed. The event contains the error code provided by AD.
Administrators can identify the root cause of the failure by reviewing the Okta System Log event for the specific error code and applying the corresponding fix based on the response from AD.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Delegated Authentication
The Domain Controller rejects the authentication request and returns an error code indicating the failure reason.
How are Delegated Authentication failures identified?
To identify the specific error that the Domain Controller produced, navigate to the Okta System Log and locate the error code by performing the following actions:
- In the failed authentication event, expand Event.
- Expand System.
- Expand DebugContext.
- Expand DebugData.
- Locate the ErrorCode that corresponds to the Active Directory authentication error code.
- In this example, the error code is
1329.
- In this example, the error code is
Review the following list of common Active Directory authentication error codes to determine the reason for the failure:
|
Error Code |
Error Description |
Note |
|
|
Logon failure: unknown username or bad password |
Returns when the username is valid but the password/credential is invalid. |
1328 - ERROR_INVALID_LOGON_HOURS | Logon failure: account logon time restriction violation |
Returns only when presented with a valid username and password/credential. |
1329 - ERROR_INVALID_WORKSTATION | Logon failure: user not allowed to log on to this computer |
Returns only when presented with a valid username and password/credential. |
1330 - ERROR_PASSWORD_EXPIRED | Logon failure: the specified account password has expired | Returns only when presented with a valid username and password/credential. |
1787 - ERROR_NO_TRUST_SAM_ACCOUNT | The security database on the server does not have a computer account for this workstation trust relationship. | None |
1789 - ERROR_TRUSTED_RELATIONSHIP_FAILURE | The trust relationship between this workstation and the primary domain failed. | None |
1793 - ERROR_ACCOUNT_EXPIRED | The user's AD account has expired. | Returns only when presented with a valid username and password/credential. |
1907 - ERROR_PASSWORD_MUST_CHANGE | The user's password must be changed before logging on for the first time. | Returns only when presented with a valid username and password/credential. |
1909 - ERROR_ACCOUNT_LOCKED_OUT | The referenced account is currently locked out and may not be logged on to. | Returns even if an invalid password is presented. |
NOTE: Okta does not return these error codes. They reflect the response of the Active Directory Domain Controller that validates the credentials during the user login via Delegated Authentication.
For a complete list of system error codes, review the following Microsoft documentation.
