Windows Internals

Before you begin

After you install the server agent and enroll the server, the server agent creates local server accounts for all Okta Privileged Access users that are part of the related project. On Windows, these accounts are disabled unless a connection is active.

On Windows, a related access broker process is responsible for proxying Remote Desktop Protocol (RDP) connections. Using port 4421, this process is required to allow successful RDP connections to the server. For more information, see Configure the Okta Privileged Access server agent.

Server Configuration

On Windows, the Okta Privileged Access server agent runs under the LocalSystem account. You can control the Okta Privileged Access server agent by manually creating a configuration file. On Windows, this file must be manually created at C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml. For details, see Configure the server agent.

Server Connections

You can open an RDP connection with the rdp command (sft rdp <server-name> ).

When you connect with the Windows RDP client, the title bar may display the loopback IP address (for example,


Information related to the Okta Privileged Access server agent installation is stored within the AppData\Local\ folder.

  • State directory: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft
  • Configuration file: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml
    Note: You must manually create the configuration file.
  • Log directory: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs
    Note: Log files are rotated after 5MB and only the 10 most recent log files are kept.
  • Enrollment token: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\enrollment.token

Related topics

Server Enrollment

Configure the Okta Privileged Access server agent