A user encounters a login failure in Okta caused by exceeding the Windows security identifier limit of 1,000 groups. Reducing the user's group memberships in the server domain resolves the issue. When attempting to authenticate, the user experiences a login failure, and Okta records the following error in the System Log:

NOT_SPECIFIED

ErrorCode 1384

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Active Directory (AD)

The Microsoft System Error Code 1384 indicates ERROR_TOO_MANY_CONTEXT_IDS. During a login attempt, the user’s security context accumulates too many security identifiers (SIDs).

Windows systems enforce a limit that prevents a user's security access token from containing over 1,000 SIDs. When a server validates a user's access rights to establish a new session, the user must not be a member of more than 1,000 groups within that server's domain. Exceeding this limit denies access to the server and returns error code 1384. If the server resides in a second domain, Windows determines the total number of groups by adding the user's group membership in the second domain to the user's global group membership in the primary domain.

How is the Okta login failure due to ErrorCode 1384 resolved?

Reduce the user's Active Directory group memberships to comply with the Windows security identifier limit.

• Ensure the user holds membership in fewer than 1,000 groups in the server's domain.

Related References

• System Error Codes (1300-1699)
• Security context accumulated too many security IDs