Troubleshoot password synchronization

Use the information provided here to help resolve password synchronization issues.

Here are some suggestions for resolving password synchronization issues:

  • Review the Okta System Log to determine if the password synchronization event resulted from an attempt to push the password to applications or to Active Directory (AD).
  • Sign in to the password synchronization target application manually to determine which password is working.
  • With Okta to AD synchronization issues, confirm that the Okta AD agent service account permissions are correct and there are no errors in the Agent.log file.
  • Review the Okta AD agent and Okta AD Password Sync Agent (PSA) logs for synchronizPation events.
  • Failed password synchronization events appear in the list on the Tasks page.

The PSA is installed on all domain controllers, the user's AD password has changed, but the user isn't able to sign in to apps using desktop SSO.

The problem may be that the Okta username format for your org isn't set to User Principal Name (UPN) or sAMAccountName. To check the Okta username format setting:

  1. In the Admin Console, go to DirectoryDirectory Integrations.
  2. Click Active Directory and then the Provisioning tab.
  3. In the Settings list, click To Okta.
  4. In the General area, make sure that User Principal Name (UPN) or sAMAccountName is selected for Okta username format.

The filter was loaded successfully, but isn't enabled.

If you launch the PSA and a message displays stating that the agent isn't enabled, the you must enter your Okta URL. For example: (Ensure that you use https.)

Then click Verify URL.

The PSA couldn't establish a trust relationship.

If you launch the PSA and see message indicating that the "underlying connection was closed," then you installed PSA version 1.3.0 or later and your environment doesn't support SSL certificate pinning for communication with the Okta server. This is most likely to occur in environments that rely on SSL proxies. To allow the installation to succeed in this case, Okta recommends that you bypass SSL proxy processing by adding the domain to an allowlist.

Alternatively, you can choose to disable SSL certificate pinning as described in the following steps, but be aware that doing so disables a security enhancement provided by the agent.

To disable support for SSL pinning, edit the Windows registry as follows:

  1. Click Search, enter regedit in the search box, and then click Enter.
  2. If the message Do you want to allow this app to make changes your device? appears, click Yes.
  3. In the Registry Editor, go toHKEY_LOCAL_MACHINESOFTWAREOktaAD Password Sync.
  4. Double-click the setting Enable certificate pinning and change the value to 0.
  5. Click OK to save your change.

For more information about SSL certificate pinning, see Open Web Application Security Project.