<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Users are Unable to Authenticate to Okta via Agentless DSSO after Updating SPN Account
Dec 12, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Upon an attempt to authenticate, the user is sent to the Okta login screen instead of being automatically logged in. In the system log, the following entry is observed:

  • Log Entry: Agentless DSSO redirection to the default login page.
  • Outcome: SUCCESS
  • Outcome > Reason: ADSSO on IDX: Authentication failed. Redirecting due to reason=AUTHENTICATION_FAILURE.

This is a common issue where users, after successfully authenticating to Okta via Agentless Desktop Single Sign On (ADSSO), are not automatically logged in and are instead redirected to the Okta login screen. This typically occurs immediately after the Active Directory Service Account configured with a Service Principal Name (SPN) is updated. The Okta System Log will display a specific entry indicating the redirection.

Applies To
  • Active Directory
  • Agentless Desktop Single Sign On (ADSSO)
  • Updates to the SPN account
Cause

This issue is caused by changes to the SPN service account in Active Directory or Okta. When the account is modified, existing Kerberos tickets become invalid and are no longer accepted.

A query can be run in the System Log to determine if this issue is present:

eventType eq "system.iwa_agentless.redirect" and outcome.reason eq "ADSSO on IDX: Authentication failed. Redirecting due to reason=AUTHENTICATION_FAILURE."

Expanded Event in System Log

A sudden spike in results after the SPN account is adjusted is a strong indicator of this issue.

Solution

To resolve this issue, affected users need to obtain a new Kerberos ticket. This can be accomplished in several ways:

  • Log out and log back in to the workstation.
  • Restart the workstation.
  • Purge existing tickets and request a new one from the Domain Controller using the Command Prompt.

To purge an existing ticket and request a new one via the Command Prompt, follow these steps:

  1. Open Command Prompt as an administrator.
  2. Type klist purge and press Enter. A message will confirm the credentials cache has been successfully purged.
  3. In the same Command Prompt window, type kinit username@REALM.
    • Replace username with the user's actual username and REALM with the Kerberos realm (typically the domain name in all caps, for example, EXAMPLE.COM).
  4. Press Enter.
  5. When prompted, enter the password and press Enter again.

Recommended content

Still looking for help?
Loading
Users are Unable to Authenticate to Okta via Agentless DSSO after Updating SPN Account