<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UbESAVOkta Classic EngineAdministrationAnswered2024-04-30T09:18:25.000Z2015-11-04T20:08:33.000Z2016-08-23T18:49:09.000Z

ADA.43832 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Question with AD Agent and SPN for Kerberos

Hello,

 

I noticed in my event logs that the OktaService account is generating tons of failed logs in my DC/PDC. Looking through the AD Agent install documentation, I noticed there is no mention about setting an SPN for the OktaService account. All users are still able to login and reset passwords and I can import users, so the agent is functioning fine. However, I just have a myriad of failed 4769 event logs in my DC. 

 

I confirmed that the AD Agent service is running in the services console as a domain account entered during the installation, which is a member of domain admin as instructed in the documentation. When a service is running that is not run by a local service or network service account, the account (domain account) must have a valid SPN to perform Kerberos tasks aka obtaining service tickets on behalf of users.

 

The implicit SPN HOST/AGENTSERVERNAME is taken by the computer object of the server already as default setup when adding a computer to the domain. I'm trying to find out if there is a separate explicit SPN that needs to be registered with the OktaService account, as I am seeing tons of failures for obtaining service tickets on behalf of the users. 

 

This would mean the authentication and all other actions performed by the OktaService account is always falling back to NTLM and not using Kerberos. If anyone has an answer to this question, please let me know!

 

 

Thank you,

Ricky

  • 3 answers
  • 1.33K views
j5v7c likes this.

  • j5v7c (j5v7c)

    A support case has been filed with our technical support team.  We will share the solution here for the community when the solution is validated.

     

    Tom

  • ADA.43832 (Customer)

    Hi Tom,

     

    Thank you for the follow-up! I actually already had a case for this one and was working with Michael Rucker from level 3 who has been a great help. Case # is 117012.

     

    I actually had the chance to speak with Karl directly at Oktane15 regarding the issue. I created this community post for easier visibility and emailed him referencing this post. I'll wait for Karl to respond!

     

    Thank you!

    Ricky
    Expand Post

  • th7vu (th7vu)

    Hello,

     

    Whats the update on this? Is setting of an explicit SPN on OktaService account needed or not?

     

    Thanks,

    Jatin
    Expand Post
This question is closed.
Loading
Question with AD Agent and SPN for Kerberos