Use the information provided here to help resolve password synchronization issues.
Here are some suggestions for resolving password synchronization issues:
- Review the Okta System Log to determine if the password synchronization event resulted in a password synchronization attempt to push the password to applications or to Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD).
- Sign on to password synchronization target application manually to determine which password is working.
- With Okta to AD synchronization issues, confirm that the Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. service account permissions are correct and there are no errors in the Agent.log file.
- Review the Okta AD agent and Password Sync Agent (PSA) logs for synchronization events.
- Failed password synchronization events appear in the task list on the Tasks page.
The problem may be that the Okta username format for your orgThe Okta container that represents a real-world organization. is not set to User Principal Name (UPN) or sAMAccountName. The Okta username format must be set to User Principal Name (UPN) or sAMAccountName in order for the AD Password Sync Agent to work. To check the Okta username format setting:
- On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
- Click Active Directory and then the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab.
- In the SETTINGS list, click To Okta.
- In the General area, make sure that User Principal Name (UPN) or sAMAccountName is selected for Okta username format.
If you launch the AD Password Sync agent and a message displays stating that the agent is not enabled, you must enter your Okta URL (for example, https://mycompany.okta.com) and click Verify URL.
Note: You must use the https:// prefix in your entry.
If you launch the AD Password Sync agent and the message displays The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channel, then you installed AD Password Sync agent version 1.3.0 or later and your environment is one in which the agent's support for SSL certificate pinning prevents communication with the Okta server. This is most likely to occur in environments that rely on SSL proxies. To allow installation to complete in this case, Okta recommends that you bypass SSL proxy processing by adding the domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). okta.com to a whitelist.
Alternatively, you can choose to disable SSL certificate pinning as described below, but be aware that doing so disables a security enhancement provided by the agent.
To disable support for SSL pinning, edit the Windows registry as follows:
- Click Search, enter regedit in the search box, and press Enter.
- If a message displays Do you want to allow this appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to make changes your device?, click Yes.
- In the Registry Editor, navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Okta > AD Password Sync.
- Double-click the setting Enable certificate pinning and change the value to 0.
- Click OK to save your change.
For more information about SSL certificate pinning, see Open Web Application Security Project.