The Okta Active Directory (AD) Agent service does not start when the service account cannot decrypt the agent configuration file. Perform a complete uninstallation and reinstallation of the Okta AD Agent to resolve this issue. The Okta AD Agent logs display the following error message:
Could not load encrypted configuration settings from C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe.config. Probably, the configuration file was encrypted by another user. Reinstall the agent to fix this issue.
2024/12/13 12:07:40.983-06:00 Info -- SERVER(4) -- Okta AD Agent starting
2024/12/13 12:07:40.985-06:00 Info -- SERVER(4) -- Service account: DOMAIN\service.account
2024/12/13 12:07:40.986-06:00 Info -- SERVER(4) -- Loading configuration file: C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe
2024/12/13 12:07:41.296-06:00 Info -- SERVER(4) -- BaseOktaURI: https://<org>.okta.com
2024/12/13 12:07:41.308-06:00 Error -- SERVER(4) -- Could not load encrypted configuration settings from C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe.config. Probably, the configuration file was encrypted by another user. Reinstall the agent to fix this issue.
2024/12/13 12:07:41.314-06:00 Info -- SERVER at Okta.Agent.ClientConfig.LoadFromFile(String path, Boolean loadProtectedSettings)
at Okta.Agent.AgentInstance.Start(Boolean logToConsole)
Okta.Agent.ClientConfigException received with message Could not load encrypted configuration settings from C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe.config. Probably, the configuration file was encrypted by another user. Reinstall the agent to fix this issue. Source=OktaAgentService InnerException=System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
Caused by System.Security.Cryptography.CryptographicException received with message Key not valid for use in specified state.
Source=System.Security InnerException=.
2024/12/13 12:07:41.315-06:00 Info -- SERVER(4) -- Okta AD Agent stopping
2024/12/13 12:07:41.315-06:00 Info -- SERVER(4) -- Okta AD Agent stopped- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Okta AD Agent
This message indicates the service account in use cannot decrypt the agent configuration file. This commonly occurs after attempting to update the Okta AD Agent service account or restoring the AD Agent server from a backup.
How is the "Could not load encrypted configuration settings" error resolved?
Uninstall the Okta AD Agent completely, remove the old configuration folder, and perform a fresh installation of the latest agent version.
- Uninstall the AD Agent using the Microsoft Programs and Features or Apps and Features components.
- Delete or rename the folder
C:\Program Files (x86)\Okta\Okta AD Agent. This ensures Okta does not use the old configuration file during installation. - Perform a fresh installation of the latest Okta AD Agent.
NOTE: If the installation process does not prompt for service account credentials, the old configuration file was not successfully removed prior to installation. Cancel the installation, remove or rename the installation folder, and start the installation again.
