Okta Active Directory Imports Fail When "tokenGroups" Attribute Is Mapped

Active Directory (AD) imports and Real-Time Sync (RTS) actions fail when the tokenGroups attribute or its variants exist in the AD user profile because it is a calculated attribute. Removing the attribute from the AD user profile resolves the issue.

During an import, the progress bar stops, and Okta displays the following error message:

An operations error occurred.

The same message appears in the AD agent logs:

2024/12/13 14:30:49.654-06:00 Error -- SERVER(5) -- Error processing READ_LDAP action
2024/12/13 14:30:49.654-06:00 Info -- SERVER   at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
   at Okta.DirectoryServices.WrappedSearchResultCollection.<GetEnumerator>d__13.MoveNext()
   at Okta.DirectoryServices.ScanResult.<CreateScanObjects>d__17.MoveNext()
   at Okta.DirectoryServices.ScanResult.<GetChunks>d__19.MoveNext()
   at Okta.Action.Handler.ReadLdapActionHandler.Handle(ReadLdapAction ldapAction, ActionContext context, List`1 queries, LdapCursor cursor)
   at Okta.Action.Handler.ReadLdapActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message An operations error occurred.
 Source=System.DirectoryServices InnerException=.
2024/12/13 14:30:49.654-06:00 Info -- SERVER(5) -- Processing READ_LDAP action finished, (executionTime=00:00:00.0614791)
2024/12/13 14:30:49.654-06:00 Info -- SERVER(5) -- Sending action result (FAILURE) for action READ_LDAP

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD) Imports
• Active Directory (AD) Real-Time Sync (RTS)
• AD-sourced users
• tokenGroups AD attribute

The tokenGroups attribute is a calculated attribute, meaning the AD domain controller calculates its value on demand. Imports and RTS fail for a given AD instance if the tokenGroups attribute or any of its variants exist in the AD user profile.

How is the tokenGroups attribute removed from the Active Directory user profile?

Navigate to the Profile Editor in the Okta Admin Console to locate the Active Directory instance and remove the tokenGroups attribute from the profile.

1. In the Okta Admin Console, go to Directory and select Profile Editor.
2. Select the Directories filter in the left sidebar.
3. Locate the relevant AD instance and select Profile.
4. Select the All filter in the left sidebar.
5. Locate the tokenGroups attribute or any of its variants in the Attributes list and remove them.

The tokenGroups attribute and its variants contain a list of Security Identifiers (SIDs) pertaining to the group membership of a user. Any group membership information contained in the tokenGroups attribute already exists in Okta, eliminating the need to import these attributes.

Okta prevents administrators from adding the following attributes to AD user profiles via the Admin Console:

• tokenGroups
• tokenGroupsGlobalAndUniversal
• tokenGroupsNoGCAcceptable
• msds-tokenGroupNames
• msds-tokenGroupNamesGlobalAndUniversal
• msds-tokenGroupNamesNoGCAcceptable