This article explains why Admin accounts might show up as the "actor" of multiple Delegated Authentication events. This only applies to Okta AD Agent version 3.17 and below.
- Active Directory
- Delegated Authentication
- Okta AD Agent Version 3.17 and Below
- System Log
When installing the AD Agent version 3.17 and below, the process prompts for the entry of two sets of credentials:
- An AD Service Account (This is an AD domain service or user account. It can be created by the installer (called OktaService by default) or can select an existing account).
- An Okta Admin Account (Used when installing the AD agent to allow the AD agent to connect to Okta by creating an API Token. This account should be Okta-mastered, not AD-mastered. The minimum admin role required for this account is Super admin).
After the AD Agent is installed on the server, events that depend on it will show in the system log as made by the Okta Admin who installed it, as Okta will use the API Token created by the Okta Admin during the installation.
NOTE: Okta strongly recommends using a dedicated Admin Account during the installation of any Okta Agent. The API Tokens created during the installation will inherit the permissions of the Okta Admin Account that created them. If the account is deactivated, the API Token will be revoked, and the connection between Okta and AD Agent will no longer work.
