Users are unable to log in to Okta using Delegated Authentication with Active Directory (AD) because their AD account expiration date has passed. To resolve this issue, update the account expiration date in AD to a future date or set it to never expire. When this issue occurs, the following error appears in the System Log:

Authenticate user with AD agent
FAILURE: Authentication failed: account is expired

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Delegated Authentication
• Active Directory (AD)

This error is a direct response from the Domain Controller and occurs when a user's Active Directory (AD) account expiration date has passed.

How is the expired account error resolved?

To resolve the authentication issue, navigate to the user account properties in Active Directory and update the account expiration date.

1. Navigate to the user account in Active Directory.
2. Select Properties for the account and click the Account tab.
3. Update the Account expires date to a future date or change it to Never.
4. Click OK to save the changes to allow the user to authenticate to Okta.