Issues with Delegated Authentication test + Missing expiration notification options

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z0000A9jzlsCQAOkta Classic EngineAuthenticationAnswered2024-06-28T16:26:54.000Z2024-06-03T13:58:57.000Z2024-06-28T16:26:54.000Z

User16847674343835482124 (Customer) asked a question.

June 3, 2024 at 1:58 PM

Issues with Delegated Authentication test + Missing expiration notification options

Hello!

We have okta running up successfully with our AD, Delegated Auth, and JIT provisioning. When I do the test delegated authentication option, it fails every time. It's setup for the UPN in Okta, which is username@company.org in AD and in Okta, however the following options all result in failure:

username

domain\username

username@company.org

Having said that, the following does work, which isn't my UPN in Okta or in AD:

username@company.local

Any idea what's up with that? For what it's worth, our users can log in using username, domain\username, and username@company.org without issue. It appears to only be this test that requires the .local.

Loosely related: I appear to be missing the option to notify on password expiration. According to the KB here https://support.okta.com/help/s/article/Your-Password-is-expiring-soon-prompt-not-displaying-correctly?language=en_US I have everything configured correctly. The option for Prompt user x days before password expires is absent from policy options.

Authentication

Top Rated Answers

Mihai N. (Okta, Inc.)
2 years ago
After some digging, I found out that the " Enable password expiry warning for AD users " is dependent of Feature Flag which might not be enabled for your org.
I assumed it would be ON by default for any orgs that have AD integrations, but that might not be the case.
If you have a free trial org, that might be the reason for the lack of features.
If you have a paid account with us, you can check with your Okta Account Executive if the feature would be available applicable and the Support team can enable it for you.

As for the "Test Delegated Authentication" issue, you might be able to find the reason for the failure in the Okta AD agent logs. You can find them under C:\Program Files\Okta\Okta AD Agent\logs in a typical installation.
Please review the following article for details related to the Log: https://support.okta.com/help/s/article/How-to-Retrieve-Okta-Logs-for-Troubleshooting?language=en_US

Regards.
--
Join the Ask Me Anything online event on June 13, 2024 to discuss the new Govern Okta Admin Roles feature with our Experts
Expand Post
Selected as Best

All Answers

Mihai N. (Okta, Inc.)
2 years ago
Hi @User16847674343835482124 (Customer) , Thank you for reaching out to the Okta Community!

This is the expected behavior for the "Test Delegated Authentication" flow. That authentication is done against the domain so you would need to test with the exact value listed on the AD side for UPN (prefix + AD domain). https://help.okta.com/en-us/content/topics/security/security_authentication.htm

Login to Okta with AD users is "filtered" through the attribute mapping so, it would work with the expected username or just the prefix if not other users with the same prefix exist.
Something similar was discussed in an older post as well:
https://support.okta.com/help/s/question/0D54z00008jRecmCAC/adsso-test-delegated-authentication-button-fails-for-known-correct-creds?language=en_US

As for your second question - the UI for the "Prompt user X days before password expires" option is a bit different depending whether you are using Okta Classic or the Okta Identity Engine (OIE).
Okta Classic:
Okta Admin Dashboard → Security → Authentication → Password → Active Directory Policy → "Password age" Section.

Okta Identity Engine (OIE):
Okta Admin Dashboard → Security → Authenticators → Password → "Edit" from the Actions dropdown→ Active Directory Policy → "Password age" Section.

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.

Hope my answer helps!

--
Join the Ask Me Anything online event on June 13, 2024 to discuss the new Govern Okta Admin Roles feature with our Experts
Expand Post
User16847674343835482124 (Customer)
Edited June 4, 2024 at 4:19 PM
Hi @Mihai N. (Okta, Inc.),

Thanks for the detailed response: I am actually using the AD UPN:

For the second item, we're using classic. I am looking at that location but I am not seeing anything about expiration reminders:
Expand Post
- Mihai N. (Okta, Inc.)
  2 years ago
  After some digging, I found out that the " Enable password expiry warning for AD users " is dependent of Feature Flag which might not be enabled for your org.
  I assumed it would be ON by default for any orgs that have AD integrations, but that might not be the case.
  If you have a free trial org, that might be the reason for the lack of features.
  If you have a paid account with us, you can check with your Okta Account Executive if the feature would be available applicable and the Support team can enable it for you.
  
  As for the "Test Delegated Authentication" issue, you might be able to find the reason for the failure in the Okta AD agent logs. You can find them under C:\Program Files\Okta\Okta AD Agent\logs in a typical installation.
  Please review the following article for details related to the Log: https://support.okta.com/help/s/article/How-to-Retrieve-Okta-Logs-for-Troubleshooting?language=en_US
  
  Regards.
  --
  Join the Ask Me Anything online event on June 13, 2024 to discuss the new Govern Okta Admin Roles feature with our Experts
  Expand Post
  Selected as Best

This question is closed.

Recommended content

No recommended content found...

Loading

Issues with Delegated Authentication test + Missing expiration notification options