ZTNA Admin setup an initial RDP app to access an internal Windows server.

Users login to ZTNA via an Okta Identity Provider.

With the RDP policy enabling short and long term passwords, a user with permissions can authenticate to ZTNA and RDP into the back end server successfully.

ZTNA admin decided to apply policy enabling short term passwords only for security.

When a user selects the RDP Application from the ZTNA Portal, and tries to login with the 'Authenticate with Username and Password' option shown below, the authentication never succeeds despite the credentials being those copies from the portal (in this case the credentials was the users email address).

When the users fail to authenticate, the following error message is shown within the RDP application.

ZTNA.

RDP Application.

With the username/password combination (not recommended as a best practice), we could not identify a unique user in the Identity Provider.

As a best practice, use the short or long term password solutions without selecting username/password combination.

If the username / password combination is required and it fails with the users email address, try the same password but with the username instead (and vice versa).

Some changes on the ZTNA backend may be needed and a support ticket should be raised for the ZTNA auth backend to search for different attributes.

When logging in via short-term RDP, we don't have any user info other than the username inputted into the RDP client.

This means that we have to find an exact match to that users UPN in the Identity Provider the tenant has enabled.

Each Identity Provider has a different implementation however, but with most of the integrations we have, we use the option to search by email or search by username but not necessarily both. In this Okta case, we only allowed authentication by name, but user was submitting the email and we changed the back end to allow both. User could have logged in with their username instead of email address to workaround issue.

There is a short term plan to address this by reducing complexity here and allow login by username and email for all Identity Providers by default.