Okta AD Agent Server Making NTLM Calls
Jul 14, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview
This article explains why NTLM calls may be seen between the Okta Active Directory (AD) Agent server and AD, as well as the best practices for preventing NTLM communication between Okta and AD.
Applies To
- Directories
- Active Directory (AD)
- Delegated Authentication
- Kerberos vs NTLM
Cause
The Active Directory environment is configured to allow NTLM communication. The Okta AD Agent will always try to use Kerberos Authentication, but if the OS of the host server is allowed to make NTLM calls and the domain allows them, then Okta will not prevent the call.
Solution
Configure the Active Directory environment to only allow Kerberos authentication between all Okta AD Agent servers and Active Directory.
