<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Troubleshooting "Kerberos validation failed with result=GSS_ERROR" Error in Agentless DSSO
Sep 4, 2025
Okta Classic Engine
Okta Identity Engine
Directories
Overview
A service account is used to validate the Kerberos ticket when using Agentless DSSO. The error message below indicates an issue with the SPN service account's ability to validate itself against the Generic Security Service (GSS) API.

Kerberos validation failed with result=GSS_ERROR

 
Applies To
  • Agentless DSSO
  • GSS_Error
Cause
The issue concerns the SPN service account's ability to validate itself against the GSS API.​​​
Solution

To resolve the Kerberos validation failed with result=GSS_ERROR error, follow these steps:

  1. Ensure the host machine and Domain Controllers are set to the correct time. Clock Skew can cause the GSS_Error
  2. Ensure that a dedicated Active Directory service account is being used for the SPN and that all the requirements listed in Create a service account and configure a Service Principal Name have been followed.
  3. Verify that the service account is active and unlocked in Active Directory and that the password status is set to Never Expires.

service account settings

  1. Ensure that the casing of the service account (uppercase vs. lowercase) used in the SPN command matches what is listed in Active Directory.
  2. Ensure the service account's UPN prefix and sAMAccountName match in AD. 
    NOTE: Make sure that the UPN is used and not the User log on name (pre Windows 2000). This can still generate a GSS_Error. 
  3. Verify that AES Encryption is set on the account and the domain and that the box enforcing DES encryption is NOT checked.
  4. Try resetting the service account password. Be sure to reset the password in Okta under Delegated Authentication as well.
  5. Remove the existing SPN record.

    • To delete an existing SPN, run the following command:

      setspn -d HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>.
      Replace <myorg> with the organization name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the instance. Replace <ServiceAccountName> with the name of the service account from which the SPN is to be deleted.

  6. Re-add the SPN.

    • To configure an SPN for the service account, run the following command: 
      setspn -S HTTP/<myorg>.kerberos.<okta|oktapreview|okta-emea>.com <ServiceAccountName>.
      Replace <myorg> with the organization name and <okta|oktapreview|okta-emea> with the appropriate Okta URL for the instance. Replace <ServiceAccountName> with the name of the created service account. Ensure the casing for the service account matches between AD and the SPN command.

  1. If the issue persists, recreate the SPN service account, reset the credentials in Okta, and set a new SPN record on the new account. Be sure to follow all recommendations listed in Create a Service Account and configure a Service Principal Name.

NOTE: Test after each step to see if the error is resolved.

 

If the issue persists after performing the above steps, it is environmental and must be investigated by the org's AD team.

Recommended content

Still looking for help?
Loading
Troubleshooting "Kerberos validation failed with result=GSS_ERROR" Error in Agentless DSSO