<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jdKSAROkta Classic EngineAdministrationAnswered2025-03-23T09:01:15.000Z2016-07-21T14:12:05.000Z2019-12-06T15:11:19.000Z

  • dalen.56802 (Customer)

    Thanks Jim.   Does that include multiple forests?   Is there a domain trust requirement? ie, if the server running the agent is a domain member of domain A in forest A, can the agent support adding a untrusted domain or forest?  Will the AD Agent Management Utility prompt for credentials for the untrusted domian/forest?

  • james.flores1.4616875318781074E12 (Okta, Inc.)

    If your second domain is in an untrusted forest (essential has no logical tie to your domain), you could put an AD agent on that domain and it would show as a second AD integration in your Okta tenant. Users of that domain would del auth to that domain.

  • GregH.00578 (Customer)

    Question further to James' response:  We are doing exactly what you describe, a separate agent in an untrusted AD Forest, reporting back o our Okta tenant.  During the installation, I need a couple of accounts: an account with Local Admin on the server the agent is being installed on (no problem, assume it is a Windows admin at our business partner) and an Okta Admin account.  I ran through the installation scenario using a test domain and was required to use my own admin account when the agent made the initial connection out.  Since I don't have any access to the partner domain, and the partner users don't exist in Okta yet, how do I meet the second requirement?

    Expand Post

  • GregH.00578 (Customer)

    Also, how do i keep IWA running for my current users?  I was testing this and the new agent caused IWA to go offline, so users weren't getting a true SSO experience.

  • 4qmvo (4qmvo)

    Hello, Were you ever able to find a solution to this issue? Currently trying to do something similar and I believe the only options are DSSO by eliminating the IWA agent?

     

    Thanks

  • GregH.00578 (Customer)

    Brandon,

     

    Yeah, we didn't deploy the IWA agent in the second domain.

     

This question is closed.
Loading
AD Agent and multiple AD forests