<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
RDP via ASA AD-Joined Passwordless Fails with "Your credentials could not be verified"
Sep 18, 2025
Okta Classic Engine
Okta Identity Engine
Advanced Server Access
Overview

When trying to RDP to a Windows server via ASA Active Directory (AD)-Joined Passwordless flow, the RDP fails with the following error: 

 

Your credentials could not be verified

 

Error Message

 

When inspecting the Kerberos communication between the target server and the authenticating DC, the following Kerberos error might be seen:

 

KDC_ERR_CERTIFICATE_MISMATCH

 

Applies To
  • Advanced Server Access (ASA)
  • Remote Desktop Protocol (RDP)
Cause

Windows is moving towards stronger enforcement of attributes used in certificate-based authentication per the following Microsoft KB:

When Domain Controllers (DCs) are set to this new "Full Enforcement Mode", they will reject the certificate in the Kerberos authentication because, by default, ASA does not include any of the "Strong" certificate mappings in its certificate.

Solution
  1. On the ASA side, configure the Team Settings to include the user SID in the certificate. See Team Settings.
  2. Ensure user sync job(s) are running successfully and configured properly to match all ASA users. This is required for ASA to obtain and use the SID in the certificate.
  3. Ensure that the active directory passwordless identity attribute value for users is the same UPN format as expected by AD (for example, <user> vs. <user>@<domain> and case sensitivity).
    1. If the UPN does not match, the following error may occur:

userSID is required for creating x509 certificate with includeSID=Always

 

    1. If the domain needs to be added for all users, this can be done with an OEL expression in the attribute mapping from the AD connection to the Okta profile attribute mapped to the ASA passwordless identity attribute and forcing a sync.
      • For example, the OEL expression in the setup doc Arrays.add(Arrays.toCsvString({}),appuser.userName) can be modified to Arrays.add(Arrays.toCsvString({}),appuser.userName + "@domain.com")

If this is not viable or still does not resolve the issue, consider setting the enforcement back to Compatibility mode on the Windows side so that it will support the default ASA certificates. Consult with Microsoft for more details on how to set this mode on the Windows side.

Recommended content

Still looking for help?
Loading
RDP via ASA AD-Joined Passwordless Fails with "Your credentials could not be verified"