After I used the okta AD agent to import my test active directory user to okta directory, I can use AD credentials to login. That’s great!
But I have a question. Is okta use the password hash to cache the AD password?
The reason I ask is that I shutdown my AD Server, okta still allow me to login with the AD credentials.
So I did the steps below to verify:
I change the AD credential from the AD server, keep the AD server running, I can use the new password to login. After login, I shutdown the AD server, okta still let me login. Then I open the AD server, change the password then shutdown immediately, now okta still let me login with old password. So my question is that which format okta cache the password?
Okta caches a hash of the AD password used to log in in order to provide a way for users to authenticate in case there is a downtime on the Active Directory side. This hash is automatically deleted after 5 days.
Thanks dragos. one more question about the automatical deletion. If the hash is deleted after 5 days and the AD server is down, so the user will not login successfully?
In this case, you will need to use an Okta-mastered account to successfully authenticate to Okta. Our recommendation is to have an Okta user with super administrator role as a back-up for use-cases such as this one.