xaniq (xaniq) asked a question.
What happens if the Okta Agent server is down?
We recently began using Okta a couple of months ago. It is integrated with our AD. We're wondering what would happen if there was an outage and our on-premise Okta Agent server was down. Would all users who use applications that use Okta for authentication still be able to log into those applications? Would the Okta cloud still contain their AD passwords? I've tried looking for documentation about this but haven't found anything.
If you do not have a back up agent installed on your server and also, if you have Delegated Authentication enabled, Okta will not store the password from Active Directory. This is intended to enhance security and accommodate customers who do not want the user's directory password to be stored outside of the firewall perimeter. However, if the administrator has elected to Sync Passwords to Applications, this is no longer relevant, as the Directory password will be stored as the Application password even if it's not being held as the 'Okta Password'.
What Okta does, if you have Delegated Authentication on, is to store a SHA256 hash of the Username, Password, OktaGUID, which it is used for the following 3 purposes:
1. Confirming if the Password is the same at next login. This is how Okta knows whether we need to trigger a password sync, we hash the password and compare against the stored hash. If different, we sync.
2. Mitigation of O365 Thick Client auth requests. Delegated Authentication of Office365 thick clients: Outlook, OneDrive, and other Office365 thick clients display a comparatively high number of reauthentication requests in a given time period. To enhance performance for Office365 customers, Okta will permit some of these authentication attempts to authenticate directly against the stored hash rather than delegating the request back to Active Directory.
3. Back up authentication of all inbound requests if Active Directory becomes unavailable. This backup authentication will be valid for 5 days from the last successful delegated authentication performed by the user.
The 3rd point is the one that it will apply to your question from the description of the case in which the user has 5 more days to authenticate in order for you to get the AD agent working again.
Keep in mind that the saved hash is NOT the AD password hash. It is a hash generated by Okta.
What we would recommend, it will be to have another AD agent installed on another server and configured as a back up because of this scenario that you presented. If you have a back up agent, once the primary goes down, therefore the second one will take in place in order for everything to be functional as long as you need to fix the first one.
Ryan Flynn
HIT Support Engineer
Information Technology
Brooks Rehabilitation
P: (904) 345-7837
F: (904) 345-7979
helpdesk@brooksrehab.org<mailto:helpdesk@brooksrehab.org>
CONFIDENTIALITY NOTICE: The information and all attachments contained in this electronic communication are privileged and confidential information and intended only for the use of the intended recipients. If the reader of this message is not an intended recipient you are hereby notified that any review, use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately of the error by return email and please permanently remove any copies of this message from your system and do not retain any copies, whether in electronic or physical form or otherwise. Thank you.