Installing the Okta AD Agent

Owned by Knowledge Assistant
Last updated: Oct 31, 2024
3 min read
Description of Issue

This article provides instructions on how to install the Okta AD Agent and set user account creation within Okta

Context

  • Okta

  • AD

  • Agent

  • TID-W

Cause

Informational

Resolution

Pre-installation steps

  1. Ensure an Okta tenant has been provisioned for your organization e.g https://tyler-<customeridentifier>.okta.com

  2. Credentials for the okta admin account will be provided securely to an Administrator that will be doing the install of the Agent

  3. Create an account called OktaService within Active Directory account that has read access to the domain. Its password should be set never to expire

    1. Optionally, the account can be created automatically from the installer if the account running the installer has the correct AD permissions

  4.  Choose a server to install the AD agent. 

    1. On Prem: Installing on the Tyler Infrastructure Server is recommended but it can be installed on any server within the domain. 

    2. SaaS: Install on any server with access to AD that has as close to 100% up time as possible.

  5. The following port requirements apply depending on where the Okta agent is installed

    1. If installing on an internal server (recommended) port 443 needs to be open for two-way communication between the server the agent is installed on and *.okta.com

    2. If installing on the DMZ please see  https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-install-dmzports.htm

    3. For a full list of pre-requisites please see https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-prerequisites.htm

Installing the Okta AD Agent

  1. Login to the server as a domain admin where the Okta AD Agent will be installed  

  2. Navigate to the Okta Admin page https://tyler-<customeridentifier>-admin.okta.com and login as the okta admin account (credentials sent securely in pre-installation steps)

  3.  From the Okta Admin Console go to Settings>Downloads>AD Agents and choose Download Latest

  4. Run the Okta AD Agent installer

    1. Choose the installation folder on a non-OS drive

    2. Enter the fully qualified domain. This is typically pre-populated

    3. Enter the credentials to the OktaService account

      1. Choose Create or use the OktaService account (recommended) to have the installer create the OktaService account. This will grant the OktaService account the log-on as service permission on the server. If these permissions are controlled via Group Policy, this right may need to be granted explicitly

        1. When using this option, the installer must be run as a domain admin

        2. Create a complex password for this account and save it in a secure location. This will be needed again if the AD agent ever needs to be re-installed.

      2. Choose Use an alternative account that I specify to enter the credentials for the OktaService account that was previously created. When selecting this option, specify the Username in the format of the email address

        1. If a message pops up that the credentials are not correct, try using the UPN instead

    4. The next screen will show options to configure the Agent to use a proxy. This is not common. Check the box to use proxy server (leave this unchecked to detect proxy server automatically)

      1. Fill in the Address host:port

      2. Username and Password if applicable

    5. Next, register the Okta AD Agent under Production e.g. tyler-<customeridentifier>.okta.com

      1. If there is a message about a pre-windows 2008, disregard it and continue

    6. After the installer completes, a pop-up in a browser container will appear

      1. If it does not, 3rd Party Cookies must be enabled and popups allowed

    7. Enter the Okta Admin credentials and click Sign In

      1. Click Allow Access

      2. Click Finish to complete the installation

Configuring the Okta tenant

  1. Login to the Okta admin tenant e.g. https://tyler-<customeridentifier>-admin.okta.com using the Okta Admin account 

  2. Within the Admin page browse to Directory>Directory Integrations. The AD Domain will be listed here as Not yet configured. Click Active Directory to begin configuration

  3. Select the OU's to sync users and groups from. Do not click Next yet

    1. If receiving Unable to Sign In from the Okta page while using JIT (Just-In-Time) provisioning, all OUs may need to be selected. If there are Group Policies on the OUs or on the Okta Service account, this can cause login issues

  4. At the bottom of the screen, choose Email address for the Okta username format to allow users to log in using their email address.

    1. Click Next>Next

  5. On the Attributes selection screen, accept defaults and click Next

  6. Click Done

  7. Within Directory Integrations>Provisioning, click To Okta>Edit.

  8. Check the boxes Create and update users on login and Don't send new user activation emails for this domain

Testing

  1. Launch an incognito or private browser window and paste in the Okta tenant e.g. https://tyler-<customeridentifier>-admin.okta.com

  2. Login with full email address and password of existing Active Directory user

Additional Information