<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Delegated Authentication Failure - Error Code 1385
Oct 28, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article addresses the issue of users being unable to authenticate to Okta using Delegated Authentication with Active Directory (AD). Additional error messages are also received in the Windows Event log. 

 

FAILURE: Group Membership Unchanged
FAILURE: login failed

 

The error code in the System Log entry is 1385:


Logon failure: the user has not been granted the requested logon type at this computer.

 

System Log Error Code

 

The errors shown in the AD Agent's Windows server side (Event Viewer > Windows Log > Security) are as below:

Error on the Windows server side



Applies To
  • Directory Integrations
  • Active Directory
  • Delegated Authentication
Cause

The following System Log search query will determine if the issue is present:

eventType eq "user.authentication.auth_via_AD_agent" and debugContext.debugData.errorCode eq "1385"

 

The 1385 error code is provided when the user has yet to be granted the requested logon type for the Okta Active Directory Agent server.

Additional information can be found on Microsoft's site.

Solution

To remediate this issue, the user must be allowed to log in locally to the Okta AD Agent servers. The permission can be granted through Group membership or individually. If the user is a member of a group already assigned, there is an issue with the AD User object. Adding the user individually may resolve the issue.

To allow local login access to the AD Agent server, perform the following steps:

  1. Open Start menu > type gpedit.msc.
  2. Under Computer configuration, go to Windows Settings > Security Settings > Local Policies > User Rights Assignments.
  3. Right-click on Allow log on locally > Properties.
  4. Click Add User and Group, then add the new user account.

NOTE:

  • In step 3, the permission can be Access this computer from the network or Allow log on locally. It does not need to be both. However, any explicit deny policy for the user is always honored in AD before any allow policy.
  • These steps will need to be performed on all AD Agent servers. Therefore, as described in the Microsoft articles mentioned in the Related References section, the administrator should review "Risky configuration" and "Reasons to grant this user right" and set the appropriate permissions.


Please consult the Active Directory team or Microsoft for additional assistance if the issue persists. 

Related References

Recommended content

Still looking for help?
Loading
Delegated Authentication Failure - Error Code 1385