Advanced Server Access release notes

End of sale announcement

Effective May 1, 2026, Okta will no longer sell or renew Advanced Server Access. Existing customers must migrate to Okta Privileged Access within one year of their next scheduled renewal date to maintain service.

Read the FAQ and learn more about Okta Privileged Access.

Device Tools

Platform

Device Tools

The binaries for device tools are compatible with both Okta Privileged Access and Advanced Server Access.

See the Okta Support website for the list of supported operating systems with End of Life (EOL) dates.

Current release

Version: 1.105.0

Deployment date: May 06, 2026

Release summary

Client

  • The Advanced Server Access server agent now uses precise process start times to track SFTP sessions on Linux. This enhancement prevents SFTP sessions from terminating prematurely and ensures more accurate session logging.

Previous releases

Version: 1.104.0

Deployment date: April 22, 2026

Release summary

Client

  • When you launch a native RDP session on a Windows machine, the RDP window now displays the server name instead of a unique ID. This ensures a consistent experience across both the web and command-line interfaces.

Client, Server Agent, Gateway

  • Advanced Server Access client, agent, and gateway now support RHEL 10 and Oracle Linux 10.

  • Windows 10 Enterprise is no longer supported.

Release: 1.103.2

Deployment date: April 09, 2026

Release summary

Client

  • RPM packages for Amazon Linux 2023 are now signed with SHA-256. This ensures that packages meet FIPS compliance requirements for admins using Amazon Linux 2023 and 2022 environments.

  • The Advanced Server Access client --version command incorrectly included a DEBUG- prefix in the version text.

Release: 1.102.0

Deployment date: March 30, 2026

Release summary

This release includes updates for Okta Privileged Access only.

Release: 1.101.2

Deployment date: March 25, 2026

Release summary

Client

  • The Advanced Server Access client now uses native Windows OpenSSH by default. This change ensures that Ctrl+C remains functional in the local terminal after an SSH session ends and prevents character drops during active sessions. Users can switch to the bundled MSYS2 SSH binary by using the sft config command.

Server agent

  • Windows user profiles created during Advanced Server Access sessions remained on the server after users signed out.

Gateway

  • Linux client tools, server tools, gateway, and RDP gateway are now packaged using native packaging tools for Debian and RPM-based systems.

Release: 1.100.2

Deployment date: February 25, 2026

Release summary

Client

  • Launching RDP sessions from the web now displays the server name in the MacFreeRDP window.

  • The sft client now sanitizes secret values before displaying them in the terminal to prevent command execution through malicious escape sequences. If you use terminal emulators like iTerm2, update your sft client to securely handle binary data and special characters.

  • Windows users sometimes received an error message after exiting an SSH session established through a gateway.

  • The sft client sometimes didn't clear session tokens after a user signed out. This could allow a subsequent user on the same machine to incorrectly reuse the previous session token for RDP connections.

  • The sft client for Windows sometimes used an insecure communication configuration that could allow arbitrary command execution during data deserialization.

Release: 1.99.7

Deployment date: January 21, 2026

Release summary

Client

  • When a user initiated a Remote Desktop Protocol (RDP) session from the web interface, the session sometimes failed to use the correct team context if the client was already authenticated to a different team.

  • RSA keys created for proxy commands now use a larger key size to improve security.

  • After upgrading the Advanced Server Access client to version 1.95.0 or higher on Windows, the scp command failed to work as expected.

Release: 1.99.5

Deployment date: December 16, 2025

Release summary

Client

  • Advanced Server Access now supports Linux systems with shared home directories. Admins can now configure the Advanced Server Access server agent to bypass provisioning the authorized principals file to a user's home directory, which eliminates log pollution issues on systems using Network File System (NFS).

Release: 1.99.3

Deployment date: December 03, 2025

Release summary

Client

  • When enrolling a Microsoft Windows 11 client, the enrollment approval page incorrectly displayed the operating system as Microsoft Windows 10.

  • Advanced Server Access client versions 1.93.0 and 1.94.0 failed to fall back to locally supported authentication methods when an admin attempted to connect to an unmanaged server using the --via flag.

  • You can now use the --account flag to connect to your server account for SSH or RDP access.

Release: 1.98.1

Deployment date: October 08, 2025

Release summary

This release has updates for only Okta Privileged Access access. See Okta Privileged Access release notes.

Release: 1.97.1

Deployment date: September 18, 2025

Release summary

Client

  • The sft list-accounts command, which was previously deprecated, has now been officially removed. Use the sft list-teams command instead.

  • The SFT client now adds the server name to the username when connecting through RDP using the Windows and FreeRDP clients.
Gateway

  • A bug in Windows 10 and Windows 11 was sending the wrong channel ID to Windows Server 2025. This prevented RDP through the gateway from working.

  • When you connect from a Windows 11 version 24H2 client to a Windows Server 2016, the connection may fail if a gateway is used. If a gateway isn't used, the RDP session may disconnect and reconnect several times before stabilizing.

Client

Server Agent

  • Digital signature verification has been added for all DLLs loaded from outside the trusted system paths.

Release: 1.95.0

Deployment date: August 27, 2025

Release summary

Client

  • When connecting from a Windows 11, version 24H2 to a Windows Server 2016, the RDP session may be immediately terminated or return an error. This is a known issue affecting RDP sessions.

  • Connection from a Windows 11, version 24H2 to a Windows Server 2025 server through Advanced Server Access gateway is terminated immediately after being established. This is a known issue affecting RDP sessions.
Gateway

  • Local account discovery, synchronization, and group membership management are now disabled for hosts that are Windows Domain Controllers.

Release: 1.94.1

Deployment date: August 21, 2025

Release summary

Client

Server agent

  • A backwards compatibility issue existed between the Advanced Server Access client and server agent with version 1.94.0, which exclusively impacted client trust forwarding.

Release: 1.94.0

Deployment date: August 13, 2025

Release summary

Client

  • The --account flag has been deprecated and is now replaced by the --team flag.

  • The Advanced Server Access client now supports RDP connections to Active Directory (AD) accounts on Windows AD servers managed by the Advanced Server Access server agent.

  • All versions of the Advanced Server Access client older than version 1.66.4 are no longer available for download.

  • The sft winscp command now supports selecting user access methods (UAMs) for Advanced Server Access servers. This command disconnects and automatically reconnects every 30 seconds.

Release: 1.93.0

Deployment date: August 07, 2025

Release summary

Client

  • macOS 15 is now supported in Advanced Server Access client and MacFreeRDP client.

  • Windows 10 (22H2) and Windows 11 (22H2, 23H2, and 24H2) are now supported in Advanced Server Access client.

  • The ssh config command didn't work correctly on Windows when paths contained spaces.

  • A vulnerability was resolved where it was possible for an external actor to inject false successful login events into the System Log without actually authenticating to a server.

  • The sft putty command now supports selecting user access methods (UAMs) for Advanced Server Access servers.

  • Enhanced security for transferring RDP credentials from the Advanced Server Access client to MacFreeRDP

  • The sft command no longer adds the server name to the username when connecting through RDP with Windows and FreeRDP clients.
Gateway

  • The SSH logs are now included in the Linux gateway server support bundle.

Release: 1.92.0

Deployment date: July 09, 2025

Release summary

Client

  • The ScaleFT CLI now only accepts HTTPS URLs.

Server Agent

  • The timeout setting for SSH connections has been updated to address stale logins.

Clients

Server Agent

  • Windows Server 2025 is now supported in Okta Privileged Access.
Okta Privileged Access

  • Okta Privileged Access package versions on dist.scaleft.com/repos are now sorted by name and file version, with directories grouped.

Release: 1.91.0

Deployment date: June 25, 2025

Release summary

Client

  • When enrolling a client, the hostnames in the URLs now match the hostnames in the enrollment request.

Gateway

Server Agent

  • The support command didn't capture the sshd_config.d and ssh_config.d file logs.

Release: 1.90.0

Deployment date: May 29, 2025

Release summary

Client

  • Support for using ssh.save_privatekey_passwords with the compat keyring on the Mac client is no longer supported.

  • Default keyring used to protect SFT state.json has been changed from compat to the system keyring.

Release: 1.89.1

Deployment date: April 23, 2025

Release summary

Client

  • Updated MacFreeRDP to upstream FreeRDP version 3.14.1.

  • When the command sft fleet enroll --token-file <tokenfile> was run multiple times on the same client for the same team, the first attempt succeeded, but subsequent attempts resulted in an error.

Release: 1.88.0

Deployment date: February 19, 2025

Release summary

Client

  • Users can now set a timeout for how long the system waits for confirmation of a failed connection before terminating the process. This timeout activates when an SSH connection is initiated.
Gateway

  • Removed the unsupported Advanced Server Access gateway for Windows OS.

Server agent

Gateway

  • The SFT support bundles now include /etc/sudoers and /etc/sudoers.d/* files.

Client

Server Agent

  • Wscapi.dll files now load from the system directory with a valid signature.

Platform

Previous releases

Release: 2024.02.0

Deployment date: February 07, 2024

Release summary

Platform

You can now enable IP-session binding for web and client sessions within a team. If an IP change is detected, the client or web session is revoked.

Release: 2023.06.2

Deployment date: June 28, 2023

Release summary

Enhancements

The following features are now in GA:

Release notes retention policy

Okta maintains release notes online for a period of 12 months following a release.

Contact Okta Support to request archived documentation for releases outside this window.