When attempting to Remote Desktop Protocol (RDP) to a server via ASA's AD-joined feature, the RDP connection fails with the error:
No Valid User Access Methods for this Server.
Client log messages may show the following signature:
2023-09-13T13:57:42.389-0500 INFO RecordSpan {"t": "trace", "operation": "client.request", "start": "2023-09-13T13:57:42.132-0500", "duration": "256.7334ms", "traceID": 591782178028480058, "spanID": 4139909778910663224, "tags": {"http.method":"POST","http.request_id":"1-65020626-610dfbe15ff56a804a3cfe08","http.status_code":400,"http.url":"https://app.scaleft.com/v1/teams/exampleteam/connection_info","span.kind":"client"}}
2023-09-13T13:57:42.389-0500 ERROR Failed to get RDPConnectionInfo from platform {"error": "No valid user access methods for this server.", "targets": [{"id":"5410dc65-3ba1-494e-b4fa-44c72e78e4de"}]}
2023-09-13T13:57:42.389-0500 ERROR Failed to resolve target {"target": "5410dc65-3ba1-494e-b4fa-44c72e78e4de", "bastions": [], "error": "No valid user access methods for this server."}
2023-09-13T13:57:42.390-0500 ERROR Failed to execute RDP from URL {"error": "No valid user access methods for this server.", "target": "5410dc65-3ba1-494e-b4fa-44c72e78e4de", "bastions": [], "conf": {"RDP":{"Screensize":{},"Fullscreen":{},"Client":{}},"SSH":{"SavePrivatekeyPasswords":{},"PortForwardMethod":{},"InsecureForwardAgent":{},"AllowRsaSha1Keys":{}},"SSHAgent":{"Enable":{},"Keys":{}},"ServiceAuth":{"Enable":{}},"Beta":{"SSHBridgeV3":{},"DisconnectedMode":{},"UserAccessMethods":{},"PasswordLogins":{},"AccessRequests":{}},"Update":{"ReleaseChannel":{}},"Network":{"ForwardProxy":{},"TLSUseBundledCAs":{}},"ClientTrustForwarding":{"Enable":{}},"Client":{"TimeoutSeconds":{}}}}
2023-09-13T13:57:42.390-0500 ERROR RDP URL Handler failed {"error": "No valid user access methods for this server."}
2023-09-13T13:57:42.390-0500 DEBUG Sending error to watcher {"error": "Title:\"RDP URL error\" Body:\"No valid user access methods for this server.\""}
- Advanced Server Access (ASA)
- Active Directory (AD)-joined
Attribute mapping on the Okta side needs to be set up in order to relay the user's Active Directory identity to ASA. If there is an issue with this configuration, ASA may not be properly receiving the AD identity and, therefore, not properly using the correct AD username in the RDP connection.
Review the Active Directory account mapping per Configure Active Directory account mapping.
In this example, the specific issue was that the "Active Directory Identity" and "Active Directory Passwordless Identity" attributes were configured as "Data type: string" instead of "Data type: string array". Switching this to "Data type: string array" resolved the issue.
NOTE: In newer ASA teams, these attributes may no longer need to be manually created on the Okta side. Therefore, if still running into the issue, validate other aspects of the AD mapping configuration and, for example, consider using ASA project-level attribute overrides if the AD accounts needed to log in to the ASA environment differ from the AD account naming scheme seen by the Okta tenant's directory integration.
