<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Agentless DSSO Authentication Fails After Updating the SPN Account
May 19, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Users attempting to authenticate via Agentless Desktop Single Sign On (ADSSO) are redirected to the Okta login screen instead of automatically signing in. This occurs when changes to the Service Principal Name (SPN) service account invalidate existing Kerberos tickets. Resolve this issue by obtaining a new Kerberos ticket through a workstation restart, a sign-out and sign-in cycle, or a command prompt purge.

The System Log displays the following entry:

 

Log Entry: Agentless DSSO redirection to the default login page. Outcome: SUCCESS Outcome > Reason: ADSSO on IDX: Authentication failed. Redirecting due to reason=AUTHENTICATION_FAILURE.

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD)
  • Agentless Desktop Single Sign On (ADSSO)
  • Service Principal Name (SPN)
Cause

Changes to the SPN service account in Active Directory or Okta invalidate existing Kerberos tickets, causing authentication to fail. A sudden spike in redirection events in the System Log after an SPN account adjustment indicates this issue.

Run the following query in the System Log to confirm the presence of this issue:

eventType eq "system.iwa_agentless.redirect" and outcome.reason eq "ADSSO on IDX: Authentication failed. Redirecting due to reason=AUTHENTICATION_FAILURE."

Expanded Event in System Log

Solution

How is the Agentless DSSO authentication failure resolved after the SPN account was updated?

The user must obtain a new Kerberos ticket to restore Agentless DSSO authentication by refreshing the workstation session or purging existing tickets via the Command Prompt.

  • Sign out of and sign back in to the workstation.
  • Restart the workstation.
  • Purge existing tickets using the Command Prompt and reattempt Okta authentication.

 

How are Kerberos tickets purged using the Command Prompt?

Open the Command Prompt, execute the purge command, and reattempt Okta authentication to generate a new Kerberos token.

  1. Open Command Prompt.
  2. Enter klist purge, and then press Enter. A message confirms the successful purge of the credentials cache.
  3. Reattempt Okta authentication to generate a new Kerberos token for ADSSO using the updated SPN.

Recommended content

Still looking for help?
Loading
Okta Agentless DSSO Authentication Fails After Updating the SPN Account