A user cannot log in to Okta using a temporary AD password when Delegated Authentication is enabled.

The following error appears on the login screen: 

Unable to sign in

• Directories
• Active Directory (AD)
• Delegated Authentication
• Password Policy
• Okta Classic Engine
• Okta Identity Engine (OIE)

• The user's password is set to expire on the next login within Active Directory, and the Active Directory password policy rule in Okta does not allow users to change passwords.
• The User must change password at next logon setting in Active Directory may also be set on the user.

Please follow the below video or steps: 



The user needs the ability to change their password from the Okta Login page.

1. Grant users the ability to change their AD password through Okta:

• If using the Okta Classic Engine, in the Okta Admin Console, navigate to Security > Authentication.

• If using OIE, select Security > Authenticators, then select Actions > Edit next to the Password authenticator.

2. In the left panel, select Active Directory Policy.

3. Scroll down to the Rules section, click the pencil icon next to the existing rule, or click Add Rule if only the default rule exists.

• In Classic, for THEN User can select change password, perform self-service password reset, and perform self-service account unlock.

• In OIE, for THEN Users can perform self-service select Password change (from account settings), Password reset, and Unlock account. Also, ensure that a recovery method is selected.

4. Ensure that the rule's status is Active.

5. Verify that the Password Settings in the Active Directory Password Policy in Okta match the password policy in Active Directory.

6. Ensure the Okta service account has permission to change passwords in Active Directory. If permission changes are made, restart the Okta AD Agent service afterward.