<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
Okta Classic Engine

User17218062042626067917 (Customer) asked a question.

July 24, 2024 at 7:58 AM
Unable to install Okta AD Agent in Windows server 2022 standard

I tried installing the Okta AD Agent v3.18.0 but ran into the problems as seen in the picture below. I followed the documentation to the letter when setting up the server and the install would also complain about the OktaService account not being a member of Pre Windows 2000 Access group.

 

But the service account is added to the Access group and the domain admin group. I have even tried to install the agent by login to the server using the Okta service account. No luck. Add the AES-128 and AES-256 options for the account in AD user settings and still unable to install. Delegated control of the domain with the specific permissions and still not able to install the agent.

 

/help/servlet/rtaImage?refid=0EM4z000008eEnS

  • 7 answers
  • 2.31K views

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @User17218062042626067917 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    The new AD agent version 3.18.0 has a few changes, mainly what I think is causing your issue is the new OAuth 2.0 registration flow.

    You need to make sure to leverage a SuperAdmin account or an admin account that has the new role that manages Agents and Agent registration. 

    Please view the following articles for details: 

     

    AD Agent Changes Using OAuth 2.0

     

    Okta AD Agent Registration Using OAuth 2.0

     

    "Okta Agent Registration" Application is Assigned to Admins

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

    • User17218062042626067917 (Customer)

      I was able to get the AD Directory Integration working by creating a custom admin role with the following permission and resource set:

      • Agent permissions (assigned everything)
      • Directories permissions (assigned the View directories permission)
      • Identity and access management permissions (assigned the View applications and their details permission from the Application permissions section)
      • The Application resource set

      I also did get this notification just like @DaveN.91871 (Stagecoach)​, "Resource set includes resources that are not affected by the permissions in the role." when creating the new admin. The Application resource set is needed if you want to see this below when adding a directory agent:image showing the Directory Integrations options

      Expand Post

  • DaveN.91871 (Stagecoach)

    I also have this exact issue. The account I am signing into Okta with to perform this registration is a Super Admin.

    I even tried creating a new Role with Agent registration, but when I came to assign it to the service account, it complained about not having a resource. I added a resource of 'All applications' (we do not have an application called "Okta agent registration"), and this time it said, "Resource set includes resources that are not affected by the permissions in the role."

     

    Still not allowing me to install the Okta AD Agent.

     

    Anything I can try?

    Expand Post

    • Mihai Negoita - Okta (Okta, Inc.)

      Hi @DaveN.91871 (Stagecoach)​ , I ran a couple of tests in my environment with this and I suspect there might be something wrong with this feature rollout, but before I go into details, I'd like to mention that the "Okta Agent Registration" app is not meant to be visible, it's supposed to be done automatically on the back-end as per this doc.

      That being said, I've been able to reproduce the issue you mentioned with the "Resource set includes resources that are not affected by the permissions in the role." - while the role can be created to have the "manage/view/register agents" permissions, there is not resource "type" available for that role configuration.

      Secondly, I checked via API if the "Okta Agent Registration" app is actually assigned to my admins and only the test admin set up with the new role (with wrong resource set apparently) has the app assigned. The SuperAdmins in my environment, don't show up in the list of users assigned to this app.

      I don't have the resources to investigate this further and the Okta Community Questions forum isn't really meant for in-depth troubleshooting. 

      I recommend you open a ticket to work with my colleagues from the Support team to clarify this matter. They'll be able to access additional tools and resources to help you get to the bottom of it.  

       

      Regards.

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

       

      Expand Post

  • DaveN.91871 (Stagecoach)

    Hi @Mihai Negoita - Okta (Okta, Inc.)​ . Thank you very much for your response. I shall open a case, as you suggest, and report back here when I get some answers. Thanks again

This question is closed.
Loading
Unable to install Okta AD Agent in Windows server 2022 standard