Managing Ports for Password Operations

When you add Windows systems to the Privileged Access Service, the Add System wizard scans for available ports to determine the port to use for password-related operations. The management port is also used to change, update, or rotate the managed account password on the target system. Depending on the results of the scan, the protocol and port used to validate and manage password changes might be set to one of the following:

• Remote Procedure Call (RPC) protocol over TCP and port 135.

• Server Message Block (SMB) protocol and port 445.

• Windows Remote Management (WinRM) over HTTPS if port 5986 is open

• Windows Remote Management (WinRM) over HTTP if port 5985 is open.

If a suitable protocol and port cannot be found or the user account to be used for password management and validation does not have the appropriate permissions, the management mode for the system is automatically set to Disabled/Not Detected. Depending on the protocol you want to use for password management and validation, you might need to unblock a port or set up a proxy user and password with administrative privileges to run PowerShell commands, then retry automatic detection.

You can use System Settings after adding a system to manually set a management protocol and port or to select Auto-Detect to try to detect an appropriate port again if the first attempt failed.

If managing passwords using Remote Procedure Call (RPC) protocol over TCP and port 135, you must enable the default Netlogon Service Authz (RPC) firewall rule on the Windows system or create a firewall rule to open port 49152-65535 (TCP Dynamic) for inbound RPC endpoint connections.

For more information about port assignments and flow for password operations, see "Communication for password-related activity."