<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Unable to Log Into Okta Using Temporary Active Directory Password
May 5, 2026
Administration
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Users fail to log in to Okta using a temporary Active Directory (AD) password when Delegated Authentication is enabled because the AD password policy rule in Okta restricts password changes. Grant users the ability to change the AD password through the Okta Admin Console to resolve this issue.

When attempting to log in, the following error appears on the login screen:

 

Unable to sign in

 

Login - Unable to sign in

Applies To
  • Directories
  • Active Directory (AD)
  • Delegated Authentication
  • Password Policy
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Cause

The Active Directory password policy rule in Okta restricts users from changing passwords and the user's password within Active Directory has expired or User must change password at next logon in set on the AD account.

Solution

How is the login error resolved?

 

Grant users the ability to change the Active Directory password from the Okta login page by modifying the Active Directory Policy rules and verifying service account permissions.

 

 
 

 

  1. Grant users the ability to change the AD password through Okta:
    • If using the Okta Classic Engine, navigate to Security > Authentication in the Okta Admin Console.
      Okta Classic Authenticators Configuration 
    • If using Okta Identity Engine (OIE), select Security > Authenticators, and then select Actions > Edit next to the Password authenticator.
      Okta Identity Engine (OIE) Authenticators Configuration 
  2. Select Active Directory Policy in the left panel.
    Okta Active Directory password policy 
  3. Scroll down to the Rules section, and click the pencil icon next to the existing rule, or click Add Rule if only the default rule exists.
    Add Okta password policy rule 
    • In Okta Classic Engine, select change password, perform self-service password reset, and perform self-service account unlock for the THEN User can setting.
      Okta Classic password policy rule configuration 
    • In OIE, select Password change (from account settings), Password reset, and Unlock account for the THEN Users can perform self-service setting. Ensure that the configuration includes a selected recovery method.
      Okta Identity Engine (OIE) password policy rule configuration 
  4. Ensure that the rule's status is Active.
    Okta password policy rule status 
  5. Verify that the Password Settings in the Active Directory Password Policy in Okta match the password policy in Active Directory.
    Okta Active Directory password policy settings 
  6. Ensure the Okta service account has permission to change passwords in Active Directory. If permission changes are made, restart the Okta AD Agent service afterward.

 

Related References

Recommended content

Still looking for help?
Loading
Unable to Log Into Okta Using Temporary Active Directory Password