<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
LDAP Agent Connection Issues for Version 5.22.0 and Above
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article provides a solution to the connection issue for the LDAP agent from version 5.22.0 and above.  

Applies To
  • LDAP Agent versions 5.22.0 and up 
  • LDAP
  • Windows
Cause

Starting with version 5.22.0, the LDAP Agent, similar to the AD Agent version 3.18 and above, uses OAuth 2.0 authentication to verify its connection to the Okta Org. This is in contrast to the previous version, which used a persistent API token with all the permissions of the Okta Administrator that granted the Agent access to the Org. 

Similar to the AD Agent, the same error will appear in the system logs OpenID Connect (OIDC) token request, depending on the direction of time skew:

  • token_timestamp_invalid
  • FAILURE: invalid_dpop_proof_jwt_issued_in_future
  • FAILURE: invalid_dpop_proof_jwt_too_old  

These errors will also appear in the Okta LDAP Agent logs:

"Unexpected response status (400 BadRequest) for request URI
Response from server: {“error”:“invalid_dpop_proof”,“error_description”:“The DPoP proof JWT is issued in the future.“}
Could not fetch a new access token"

The maximum allowable clock skew for successful OAuth token requests is 30 seconds. This value is subject to change.

In order to determine the clock skew, compare the local server time to the Official U.S. Time.

Solution

As in the case of the AD Agent, to resolve this, sync the member server to any standard NTP server. 

Using an elevated command prompt (CMD), type the following and press Enter:

w32tm /resync

 

If the above does not adequately sync to NTP time, perform the following using an elevated CMD window:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
net start w32time
w32tm /config /update
w32tm /resync /rediscover

 

Related References

Loading
LDAP Agent Connection Issues for Version 5.22.0 and Above