If a client device has been enrolled via fleet enrollment but has not yet been assigned an owner, the following error may occur when the user tries to access a server via the UI Connect button.

The link was opened for "<user>", but the CLI is signed in as "".  Please switch accounts by logging out and enrolling again with a different user.

• Okta Privileged Access (OPA)
  • Client Version v1.100.2 and Newer
• Fleet Enrollment
• Okta Classic Engine
• Okta Identity Engine (OIE)

This error happens because the client device does not have an owner associated with it.

• This can be checked by the end-user by running sft list-teams and verifying that the USERNAME column is blank, like below:

  % sft list-teams
  USERNAME    TEAM          URL                                   ID                                      STATUS                  
              opateam    https://opateam.pam.okta.com/v1    75f76xxx-dc82-4df1-97bd-ec2684bcxxx    (default) Never used

An OPA Administrator can also check that the Owner field is blank in the OPA Admin Console on the Directory > Clients page and filter for Show Unbound Clients to only show these servers without an owner.

To resolve the issue, assign an OPA user to the client device with either of these methods:

• Method 1: The end-user can run the sft login command and authenticate with the Okta user they want to own the client device.
  
  • sft list-teams output should now show the USERNAME column populated.

NOTE: For an RDP connection, this may not be required, and instead, they can try to connect again.

• Method 2: An OPA administrator can assign the user:
  1. In the OPA Admin Console, navigate to Directory > Clients.
  2. Click the three dots next to the client device.
  3. Click Assign User.