Create a server enrollment token
An enrollment token is a Base64 encoded object that includes metadata used to enroll the device into an Okta Privileged Access project.
- Open the Okta Privileged Access dashboard.
- Go to .
- Select a resource group and then select the project that you want to use.
- Select the Settings tab.
- In the Enrollment tokens section, click view. A list of available enrollment tokens appears.
- Click Create Enrollment Token.
- Enter a description for the token.
- Click Save to create the token.
- Copy the token to the enrollment token path on the server. You can either use
your configuration management system (for example, Puppet, Chef, Ansible) or write it to a file.
- On Linux, the enrollment token path is /var/lib/sftd/enrollment.token
- On Windows, the enrollment token path is C:\windows\system32\config\systemprofile\AppData\Local\scaleft\enrollment.token
- Optional. Complete the following steps if you see an error when you sign in with a vaulted Linux account:
- In the /etc/ssh/sshd_config file, ensure PasswordAuthentication is set to yes.
- Run the sudo systemctl restart sshd command to restart the SSH server for the configuration to take effect.
Check /etc/ssh/sshd_config.d/ for drop-in configuration files if changes to the main file don't work.
You can check the enrollment by running the sft list-servers command on the client. This command outputs a list of all enrolled servers. If the server was successfully enrolled, it appears on the list. If you enroll the same server twice, the sft list-servers command displays two instances of that server with different UUIDs and IP addresses. Use sft rdp <id> to pick one of the IDs you want to connect.
Next steps
Optional. Verify server enrollment