Attempting to install or upgrade the Okta Active Directory Agent on a server, the download completes and the activation appears successful, but the wizard does not proceed past the Agent Installed page to the Basic Settings page.
Okta logs show token_timestamp_invalid failures for the OIDC token request for the Active Directory Agent:
Cause
Starting with version 3.18.0, the Okta Active Directory Agent uses OAuth 2.0 authentication to verify its connection to the Okta org. While this is a more secure authentication method, it requires AD Agent member servers to be time-synced with a standard NTP (Network Time Protocol) server β even minor clock drift will result in failed connections. For more detail on this behavior, see AD Agent Connection Issues for Version 3.18.0 and Above 
.
Resolution
Synchronize the member server with a standard NTP server. For a full reference on Windows Time service commands, see Windows Time service tools and settings.
On the member server, open a command prompt and issue the command:
βw32tm /resynch
β
If the first command fails to sync with NTP time, run the following commands in sequence in a command prompt with Administrator privileges:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.it.pool.ntp.org 1.it.pool.ntp.org 2.it.pool.ntp.org 3.it.pool.ntp.org"
net start w32time
w32tm /config /update
w32tm /resync /rediscover
If the steps above do not resolve the issue, contact ZeroTek Support at [email protected].