The article describes how to troubleshoot login issues with Agentless Desktop Single Sign-On (ADSSO) after recently performing a password reset for the Agentless DSSO Active Directory service account.
- Directories
- Active Directory
- Agentless Desktop Single Sign-On (ADSSO)
When the Active Directory service account used for Agentless DSSO has the password changed, the Kerberos tickets issued before the password change are no longer acceptable for Okta Agentless DSSO authentications. The following error is logged in the System Log:
Agentless DSSO Auth FAILURE: Kerberos ticket validation failed with result=GSS_ERROR.
NOTE: There are other causes for this error. If the above error is received and a password reset was not performed for the service account, please see: Troubleshooting "Kerberos validation failed with result=GSS_ERROR" Error in Agentless DSSO.
Since the Kerberos ticket issues before the service account's password reset are no longer valid for Agentless DSSO authentications, the only way to resolve the issue is for the users to receive a new Kerberos ticket. The simplest method to receive a new Kerberos ticket is for End-Users to restart their workstation or log out of Windows and log in again.
Alternatively, current Kerberos tickets can be purged from the machine by utilizing the command below in Command Prompt:
klist purge
After performing the klist purge command, a new Kerberos token will be requested upon the next Agentless DSSO authentication attempt.
