<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Troubleshoot Okta Delegated Authentication Timeouts
Mar 25, 2026
Administration
Okta Classic Engine
Directories
Okta Identity Engine
All Engines
Overview

Delegated Authentication (DelAuth) allows Okta users with an Active Directory (AD) assignment to sign in to Okta using their AD credentials. The authentication attempt is delegated to the AD domain controllers via an Okta AD Agent, and Okta does not store the credentials.

 

Okta DelAuth timeouts typically occur when an AD agent server experiences resource exhaustion, network delays, or connectivity issues. Resolve these timeouts by verifying the Okta AD Agent service status and reviewing system and agent logs to identify the specific bottleneck. When an authentication takes longer than 4000 milliseconds to send a response, the Okta authentication fails, and the following timeout event appears in the System Log:

 

Delegated authentication request timed out. Ensure that the agent for your directory is connected to Okta

 

Use the following System Log search filter to determine the scope and frequency of the issue:

eventType eq "user.authentication.auth_via_AD_agent" and outcome.reason eq "Delegated authentication request timed out. Ensure that the agent for your directory is connected to Okta"


Applies To
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Active Directory (AD)
  • Delegated Authentication (DelAuth)
  • Okta AD Agent
Cause

Several factors can delay the authentication response beyond the 4000-millisecond limit. Common causes include:

  • Resource exhaustion on the agent member server (for example, CPU or memory spikes).
  • Connectivity loss between the agent member server and the internet.
  • Network appliances or services are blocking the response from the agent to Okta.
  • High network latency or connection loss between the agent member server and the domain controller.
  • Delays caused by a User Profile refresh during Real Time Sync (RTS).
Solution

How are Delegated Authentication timeouts investigated and resolved?

 

Most Delegated Authentication timeouts are caused by environmental issues outside of Okta. Use the following methods to determine the root cause of a timeout.

Confirm the Okta AD Agent service is running

The Okta AD Agent must remain active to process requests. If the service stops during authentication, the attempt fails.

  1. Open the Windows Task Manager and navigate to Services.msc.
  2. Locate the Okta AD Agent service and verify that the status is Running.
  3. Alternatively, open the Okta AD Agent Manager located at C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentManager.exe to check the status.

 

Review the Okta System Logs

Analyze the System Log to determine if the issue impacts specific regions, servers, or users. Use the following search filter to isolate the events:

eventType eq "user.authentication.auth_via_AD_agent" and outcome.reason co "timed out"
 

 

Review Okta AD Agent Logs

The agent logs provide detailed execution times for each stage of the authentication. Access these logs at C:\Program Files (x86)\Okta\Okta AD Agent\logs.

Review the logs for high executionTime values. The following log snippet illustrates a transaction that exceeded the 4-second limit due to a 3.41-second domain controller response time combined with a 0.70-second packaging delay:

 

2026/01/24 15:33:48.131+00:00 Info -- <serverHostname>(<thread#>) -- Authenticating user <userPrincipalName>
[...]
2026/01/24 15:33:49.990+00:00 Info -- <serverHostname>(<thread#>) -- Processing REAL_TIME_SYNC action [...] finished, (executionTime=00:00:03.4102496)
[...]
2026/01/24 15:33:50.688+00:00 Info -- <serverHostname>(<thread#>) -- Data post finished, (executionTime=00:00:00.6970180)

 

Review Windows Event Logs

Windows Event Viewer may record service interruptions, connectivity problems, or hardware resource issues.

  1. Open Event Viewer and go to Windows Logs, and then select Application.
  2. Select Filter Current Log.
  3. Select the Event sources dropdown menu, and then choose Okta AD Agent.
    • NOTE: If the Okta AD Agent does not appear in this list, the server has not generated any logs.
  1. Select OK to apply the filter and view logs related to the Okta AD Agent.

 

The following event log example occurred when an agent server lacked sufficient memory to operate normally:

Application: OktaAgentService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.OutOfMemoryException
at Okta.DirectoryServices.ActiveDirectoryAdapter.FindExceptionInChain[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Exception)

    Recommended content

    Still looking for help?
    Loading
    Troubleshoot Okta Delegated Authentication Timeouts