<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Delegated Authentication Failure with Error Code 1385
May 7, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Users experience authentication failures when using Delegated Authentication with Active Directory (AD) because the user lacks the requested logon type for the Okta Active Directory Agent server. Granting the user local login access to the Okta AD Agent servers resolves the issue.

 

When this issue occurs, the System Log displays Login Failed with an ErrorCode of 1385.

System Log ErrorCode 1385

 

This is a Microsoft error returned by the Domain Controller.

 

1385 - Logon failure: the user has not been granted the requested logon type at this computer.

 

Additionally, the Windows Security Event log on the AD Agent server displays the following:

 

 FAILURE: Group Membership Unchanged and FAILURE: login failed.

 

Windows Security Event Log Errors - 1385

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directory Integrations
  • Active Directory (AD)
  • Delegated Authentication
Cause

The 1385 error code occurs when the user does not have the requested logon type for the Okta AD Agent server.

The following System Log search query confirms whether the issue is present:

eventType eq "user.authentication.auth_via_AD_agent" and debugContext.debugData.errorCode eq "1385"
Solution

How is the 1385 error code that happens during Okta authentication resolved?

 

The user requires permission to log in locally to the Okta AD Agent servers. This permission can be granted through Group membership or individually. If the user is already a member of an assigned group, an issue exists with the AD User object. Adding the user individually often resolves the issue.

Grant local login access to the AD Agent server by opening the Local Group Policy Editor and adding the user account to the User Rights Assignments.

  1. Open the Start menu and enter gpedit.msc.
  2. Under Computer configuration, navigate to Windows Settings > Security Settings > Local Policies > User Rights Assignments.
  3. Right-click Allow log on locally and choose Properties.
  4. Select Add User and Group, and then add the new user account.

 

NOTE: 

  • In step 3, either the Access this computer from the network permission or the Allow log on locally permission can be selected. Both permissions are not required. However, Active Directory always honors any explicit deny policy for the user before any allow policy.
  • These steps must be performed on all AD Agent servers. Consult the Active Directory team or Microsoft for additional assistance if the issue persists.

 

Related References

Recommended content

Still looking for help?
Loading
Okta Delegated Authentication Failure with Error Code 1385