Configure Active Directory integration

This topic describes how to configure Remote Access integration with your company's Active Directory.

Set Active Directory integration settings

In the Remote Access portal, click Settings > User management sources , and select Active Directory.

Set the following:

Setting

Description

Active Directory integration

Whether or not to integrate Remote Access with your organization's Active Directory. Activate this option, then set the details described below.

Domain context (required)

The name of the domain, using the AD naming convention. For example, DC=example,DC=com.

Domain controllers (required)

A list of domain controllers, separated by commas.

  • Specify the FQDN or IP address. For example, <domain name>.example.com
  • Must be resolvable by the Remote Access connector machine
  • Must be listening for connections via LDAP protocol on the defined port

Use LDAPS

Activate secure communication to your Active Directory.

  •  Click Upload certificate and select the LDAPS certificate, which must be:
    • Base-64 encoded X.509 (.cer or .pem extension).
    • The signing certificate of the domain certificate authority (Root-CA).

Active Directory port

The port used to connect to your organization's Active Directory.

  • Select Default to use the default port (389 for LDAP, 636 for LDAPS) or specify a custom port.

NetBIOS domain name

The default NetBIOS domain name. For example, if the user is "acme\admin", then "acme" is the NetBios name.

Set user validation settings

Set the following:

Setting

Description

AD credentials validation interval

How frequently users' AD credentials and user status are validated.

Options:

  • Never
  • After 12/24/48/72 hours
  • Every logon

Default value: 24 hours

 

If you select 'Every logon', users may experience a delay each time they open the CyberArk Mobile app as their AD credentials are validated before they are allowed to proceed.

Remote Access is designed around secure biometric authentication, as opposed to password-based authentication. Remote Access validates AD users to confirm company membership during on-boarding, and the AD credentials don't need to be validated each time the user logs on.

Companies may want to use this setting for testing purposes, but it is not necessary for ongoing implementations.

Automatically remove user with invalid AD credentials

The number of days after a failed attempt to validate AD credentials that users will be removed from a tenant.

Options:

  • Never
  • After 30 days
  • After 60 days
  • After 90 days

Default value: Never