This article discusses a common issue where users encounter 400 errors during authentication via ADSSO. This problem typically occurs when the Kerberos token size exceeds Okta's processing capacity. To fix this issue, the size of the Kerberos token for a user must be determined and reduced to a size that Okta can handle.
- Agentless Desktop Single Sign-On (DSSO)
A Kerberos token may become oversized due to various factors, but group membership and SIDHistory are the most common causes. SIDHistory is relevant when a user object migrates from one domain to another, increasing the token size beyond Okta's limit of 16 KB.
This issue can be addressed by reducing the user's group membership count or by removing the SIDHistory from the user object in Active Directory. For comprehensive instructions, refer to the Okta documentation on configuring Agentless Desktop Single Sign-On.
Agentless DSSO will not function if a user's Kerberos token exceeds 16 KB. This corresponds roughly to membership in 600 security groups, though that is not a hard limit, and many factors contribute to the token size. A user exceeding this limit attempting the Agentless DSSO flow will encounter a 400 response and be redirected to the standard sign-in page. Moreover, expanding the MaxTokenSize in the Active Directory environment will not enable Okta to process a larger Kerberos token.
