User Sync Jobs Do Not Create Users in Okta ASA Admin Console
Last Updated:
Overview
Synced users from a user sync job do not appear in the Users Directory within the Okta Advanced Server Access (ASA) Admin Console. This expected behavior occurs because the user sync job within the Active Directory (AD) connection simply pulls the user Security Identifiers (SIDs) from AD to include them in virtual smart cards that are minted. Users are provisioned in ASA from Okta via System for Cross-domain Identity Management (SCIM).
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Advanced Server Access (ASA)
- Active Directory (AD) Joined
Cause
This is expected behavior because the user sync job within the AD connection simply pulls from AD the user SIDs so they can be included in the virtual smart cards that are minted.
Solution
Why do synced users fail to appear in the Okta Advanced Server Access directory?
In November 2023 all cert-based-auth to domain-joined servers will require the SID to be mapped in the certificate or authentication will be blocked. The user sync job is built to comply with a new requirement being forced by Microsoft to include the SID (unique Security Identifier) of the user within the Virtual Smartcard Certificate ASA uses to authenticate to a Windows Server.
Users are provisioned in ASA from Okta via SCIM.
