<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008pdi8cSAAOkta Classic EngineAdministrationAnswered2022-09-20T21:41:22.000Z2020-07-02T15:11:08.000Z2020-07-07T01:37:10.000Z

NickT.68327 (Customer) asked a question.

July 2, 2020 at 3:11 PM
Self Service Unlock - AD Side not unlocking

Do I need to delegate rights in AD for users to be able to unlock accounts in order for the Okta self service unlock to work? Currently, it goes through the motions, i enter username or email, select SMS, I get the message, enter the code, and it replies successful, but the AD account never actually unlocks.

 

Security > Authentication > Rules

 

We have a rule that allows all 3 forms of self service

 

Security > Authentication > Unlock

 

We have unlock okta and active directory

  • 10 answers
  • 2.36K views

  • User15851122134349081871 (North Central-Enterprise)

    A locked account in AD won't automatically propagate to be a locked account in Okta. This is one of the cases for why some people use delegated authentication: then if the AD account is locked out they won't be able to authenticate in Okta.

    Selected as Best

  • User15851122134349081871 (North Central-Enterprise)

    The Okta service account in AD needs to have sufficient permissions (Domain Admin) for end users to be able to use self unlock.

  • NickT.68327 (Customer)

    This would be the service account the on-prim okta client is running on correct?

      • NickT.68327 (Customer)

        At first I just tried delegating unlock rights to the okta svc account, which didn't work, and then i added the svc account to the domain admins group, and it's still not working. Everything else works, federation, password reset, all of that seems to work, but unlock just goes through the motions and never actually unlocks the account on the AD side.

        Expand Post

      • User15851122134349081871 (North Central-Enterprise)

        And is the user's Okta account locked as well when they try to unlock, or just the AD account? Because I think the self-serve unlock via Okta only works if the Okta account is also locked.

      • NickT.68327 (Customer)

        This appears to have been the issue, the accounts I was testing were locked in AD but not in Okta. When I tried locking the account by passing several bad passwds to okta, it locked in both places, and then the SMS unlock feature DID unlock the AD side.

         

        Now, I cannot figure out why the AD locks are not syncing up to okta, i have locked an account on the AD side, and done an incr and full import, but the okta side still shows active.

        Expand Post

      • User15851122134349081871 (North Central-Enterprise)

        A locked account in AD won't automatically propagate to be a locked account in Okta. This is one of the cases for why some people use delegated authentication: then if the AD account is locked out they won't be able to authenticate in Okta.

        Selected as Best

      • NickT.68327 (Customer)

        We have delegated provisioning enabled, and I just tested it working... would JIT help us any for this issue?

      • User15851122134349081871 (North Central-Enterprise)

        Don't think so. And I'm unsure what you mean by "delegated provisioning"; I was mentioning delegated authentication, where a user's authentication into Okta is delegated back to AD. In that way, a user would be unable to sign in to Okta, even if their account was unlocked there, if it's locked in AD, where the authentication is delegated to.

        Expand Post
This question is closed.
Loading
Self Service Unlock - AD Side not unlocking