영진채.15505 (Customer) asked a question.
I have established an AWS Managed AD - Workspace MFA - OKTA connection.
There are cases where authentication is successful and cases where it is not.
Case1. Auth Failed
1. Pushed aron account from AWS Managed AD to OKTA.
2. Merged with aron account in OKTA.
3. I included the account in the aws workspace app and tried logging in.
4. "Authentication Failed" message is displayed.
5. Checking the log on Radius Server EC2 shows the following.
"Authentication failed for user aron@xx.co.kr , reason --- Access denied. Invalid creds?"
Case2. Auth Success
1. Pushed aron account from AWS Managed AD to OKTA.
2. Create a new aron account on OKTA.
3. I included the account in the aws workspace app and tried logging in.
4. Log in normally.
Why can't Case 1 log in?
Having multiple accounts is difficult.
Hi!! Thanks for your question.
First and foremost, are you setup for Delegated Authentication or Password Sync? Also, do you have an Okta AD Agent installed on a member server in your domain? I am assuming yes to the second question, but wanted to validate.
The examples you gave above are interesting.. in both cases the users exist in this Managed Domain & Okta? Also, do you have multiple Active Directory domains integrated with Okta or just this one?
Final question, is including the account in the AWS Workspace App process taking place in an integrated application inside of Okta or on the AWS side?
Sorry for all the questions, but it would help to have a better understanding of your environment so that I can provide the best assistance possible. Thanks!
Hi ! Thanks for my answer!!
1. Use Password Sync.
2. Okta AD Agent was installed on EC2 and we did two-way account forwarding to each other.
3. There is only one connection between my OKTA and AWS Managed AD.
4. Assigned user to workspace app in OKTA.
5. AD also assigned that account to the workspace.
This is a test I did today.
1. Transferred my aron account from OKTA to AD.
2. Confirmed that the aron account was delivered to AD.
3. When creating the AWS workspace, I selected the aron account as the user.
4. Added aron account to OKTA workspace App.
5. I entered id+pw+okta OTP in workspace application.
6. "Authentication Failed" message is displayed.
7. In OKTA workspace App log, "Authentication of user via Radius
failure: Login failed." is output.
Thanks!
So this is an interesting one. Technically, according to this article Provisioning issues from Okta to AWS AD, Okta does not natively support AWS Managed AD or Simple AD setups.
That alone may cause an issue, but due to the fact you are utilizing Password Sync, we have a second issue. According to Synchronize passwords from Active Directory to Okta, a core requirement of this is the following:
"he Okta AD Password Sync Agent is installed and configured on all domain controllers in each integrated domain in your forest." Because there is no custom managed DC (like an EC2 instance), where is the Password Sync Agent installed? The fact it is not on a DC is going to be an issue.
Next, it does appear that "Delegated Authentication is enabled. For more about Delegated Authentication, see Authentication". I would try to run this without the Password Sync Agent, as I am not sure how to get around that requirement. You could try running this without that agent and having delegated auth handle the password, but remember that the agent must be installed on a member server, must have the correct service account running, etc.
Given some of the requirements outlined above, it might be better to run your own DC from an EC2. More management required, but more customization available. Let me know your thoughts on this! Hope it helps!
Thanks,
Don