Okta Delegated Authentication Fails with Error Code 1789
Last Updated:
Overview
Okta Delegated Authentication fails with error code 1789 when the server hosting the Active Directory (AD) Agent loses the trust relationship with the primary domain. Rejoining the server hosting the AD Agent to the domain resolves the issue. Users experience authentication failures when attempting to sign in to Okta using Delegated Authentication. Okta generates the following error in the System Log:
Authenticate user with AD agent FAILURE: Login Failed
The System Log entry displays error code 1789, which indicates the following Microsoft error:
The trust relationship between this workstation and the primary domain failed.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Delegated Authentication
- Active Directory (AD)
- AD Agent
Cause
Error code 1789 originates directly from the Domain Controller and indicates that the trust relationship between the workstation, specifically the AD Agent server, and the primary domain has failed. This error most commonly occurs when the server hosting the Okta AD Agent has been removed from the domain. Review the Microsoft documentation for more information regarding System Error Codes.
Solution
How is the trust relationship error resolved?
Join the server hosting the AD Agent to the domain to restore the trust relationship and resolve the authentication failure.
