<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00006CLGRPSA5Okta Classic EngineAdministrationAnswered2026-04-01T09:00:20.000Z2019-05-01T15:58:32.000Z2019-05-03T14:07:41.000Z

ClayM.78722 (Customer) asked a question.

May 1, 2019 at 3:58 PM
AD Agent - How do you change the authentication user?

I have AD Agent installed in a test environment on a Windows 2012 domain controller., with AD delegated authentication enabled. I noticed that none of my test users could authenticate after I removed super user rights for one of my users and I see a 403 forbidden error in the AD agent windows logs. When I granted the user super admin rights again, the agent reconnected and it working again. So obviously the AD Agent is authenticating to the Okta cloud with this user. I remember as a part of the AD agent installation, I had to login with an Okta administrator. However I cannot find where to change this on the AD Agent Mgmt utility on the Windows server or on the Directory Integrations Settings web page in the console.

 

Could someone point me to the documentation on how this works and how to change the user that authenticates the AD agent? I can't find this explained here https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-install.htm

 

 

 

 

 

 

 

 

 

 

 

  • 5 answers
  • 2.27K views

  • VanH.30758 (Lytx, Inc.)

    Hi Clay,

     

    I believe you'll want to log into the server that you installed the AD Agent on, do a Windows Run command with WindowsKey+R. Type services.msc. When the window pops up, look for Okta AD Agent, right click Properties, go to the "Log On" tab.

     

    The interesting thing for us is the account we used for the AD Agent install (in the Logon tab) isn't a user inside Okta, or at least we don't import it in, so I'm not so sure there's a connection.

    Expand Post
    Selected as Best

  • VanH.30758 (Lytx, Inc.)

    Hi Clay,

     

    I believe you'll want to log into the server that you installed the AD Agent on, do a Windows Run command with WindowsKey+R. Type services.msc. When the window pops up, look for Okta AD Agent, right click Properties, go to the "Log On" tab.

     

    The interesting thing for us is the account we used for the AD Agent install (in the Logon tab) isn't a user inside Okta, or at least we don't import it in, so I'm not so sure there's a connection.

    Expand Post
    Selected as Best

    • ClayM.78722 (Customer)

      Thanks for the reply Van, but the Windows service account entered into the AD Agent does not appear to be the same account for the server to cloud authentication. The username for the service account does not exist in Okta, and is different than the admin account on Okta that I demoted and subsequently broke the connector.

  • JatinB.72487 (Customer)

    I remember seeing similar issue in the past, where we had to add "Authenticated Users" to the Users group on the machine where AD agent was installed. And that did worked. Not sure if you would would like to try that.

     

    Regards,

    Jatin

    Expand Post

  • t529b (t529b)

    The only time the actual credentials (username/password) were used was during the AD agent installation. When you entered those credentials, Okta used them to create an API token, and that's what the agent uses to make that persistent connection back to Okta. An API token inherits the role/rights of the account used to create it, so when you removed the super admin role from the Okta account, the API token also lost that role.

     

    If you wish to replace the account that the AD agent uses to connect to your Okta org, my recommendation would be to uninstall and reinstall the agent, specifying the new service account next time around. I did this a few years ago when I realized that, during our initial implementation, I had used my own super admin account during the agent install, and so the system logs show all this activity for my account for every import and authentication event, for all users. It's also important to use an account that is not tied to an actual user, because if that user leaves the organization and his/her account gets deleted, the associated API key will stop working, permanently.

    Expand Post

    • ClayM.78722 (Customer)

      Thanks Mike, I think you hit the nail on the head and that was my original suspicion. I reviewed the installation documentation I cited and now I do see a section at the top “Accounts required for AD agent installation” that does recommend creating a separate cloud admin account, however I don’t remember seeing that a while back when I did the install. Hopefully others will find this thread now and it can help them out.
      Expand Post
This question is closed.
Loading
AD Agent - How do you change the authentication user?