JamesN.13590 (Bish's RV) asked a question.
For the Active Directory password policy in our organization, we use the default complexity requirements for Windows, most of which translates to Okta seamlessly. However, we do have one requirement in our AD that I'm not sure I can replicate in Okta. My understanding is that these requirements should match exactly. Our AD password policy requires characters from 3 of the 4 following categories:
1) Upper case letters
2) Lower case letters
3) Number 0-9.
4) Non-alpha chars. (~!@*$%^&*_-+=`|(){}[]:;"'<>,.?/)
I do not see the option to require 3 of the 4 categories in Okta. You can require each of these, but not 3 of the 4 specifically.
Is there any way to enforce this in Okta or do we need to modify our AD policy to match the Okta policy?
Thanks,
James
Hi! Thanks for your question. specifically Okta does specify that these policies should not conflict, and if anything, the Okta should be stronger than the AD password. Based on that information, I believe you are fine here.
AD requires 3 of the 4 to exist, whereas Okta can require that all 4 of 4 are contained within the password. This is not a conflict with the AD password policy, but rather a stronger take on it. Thus, users changing their passwords from Okta would have 4 of 4 (if required by policy).
About Password Policies
Hope this helps! Please let me know if you have any further questions or concerns.
Perhaps you can help with the issue I've been having. We have 2 new employees who were required to change their passwords on first login. The password change was successful on the AD but they are not able to authenticate via Okta. This is the error message: Authenticate user with AD agent
failure: Authentication failed: bad username or password
I am seeing this in the Okta logs but they are able to authenticate to AD resources. For one of the users, we asked them to reset their password again and it seemed to work. However, the 2nd one did not take. Any suggestions would be appreciated!
Also, I see there is a password reset function in Okta. We are setup with Delegated Authentication. If we were to initiate the password reset from Okta, would that reset the AD password as well?
Thanks,
James
Sure! Quick question.. are they resetting their passwords on Windows/AD or in Okta? This can make a difference depending on your setup. Seeing that you are using delegated authentication, resetting the password from Okta will work just fine and (in my opinion) is preferred.
When using delegated authentication, the "okta password" is really just the AD password so they should always be the same. Meaning, when reset from AD side, it should work fine in Okta, and vice versa. Okta is simply validating the supplied password matches that stored in AD. And are there any major differences in the password policies?
Thanks!