Configure browsers for silent authentication
Silent authentication applies to Integrated Windows Authentication (IWA) and certain RADIUS authentication methods.
Silent authentication works without further configuration on Windows computers if the connector hostname is available in your DNS.
Google Chrome on macOS requires you to add an authentication server to an allowlist to successfully authenticate your users.
-
Log in to your Mac device as an Active Directory user.
-
Quit any instances of Chrome, then open the Terminal.
-
Run the following command in a Terminal session, where
<connector hostname>
is the hostname set in Settings > Network > CyberArk Identity Connectors.defaults write com.google.Chrome AuthServerWhitelist <connector hostname>
If you have more than one connector configured, use a comma to separate the hostnames.If the changes in the previous procedure do not take effect immediately, quit Google Chrome, then use the Activity Monitor to force any remaining Google Chrome related process to quit.
To configure Edge for IWA, add your fully qualified tenant URL to the local intranet security zone.
-
Open the Windows Settings and search Internet Options.
The following window opens.
- Click Local intranet > Sites.
-
Click Advanced.
-
Enter the tenant specific URL into the Websites text box.
- Click Close.
To enable silent authentication for users logging in to CyberArk Identity user portal or the Identity Administration portal, you must import the tenant root CA to the browser and do one of the following in the users’ browser:
-
If you did not change the connector host name to a fully qualified domain name (by default it is not), set the
network.negotiate-auth.allow-non-fqdn
Preference Name to true.By default, the host name used by CyberArk Identity uses the format ofhttp://hostname
, wherehostname
is the host name of the connector. -
If you did change the connector host name to a fully qualified domain name, you need to add the fully qualified domain names for the connector host computers to the
network.negotiate-auth.trusted-uris
Preference Name.Remember to add the fully qualified domain name every time you add a new connector host.
network.negotiate-auth.allows-non-fqdn
:- Open Firefox.
- Type
about:config
as the target URL. - Type
neg
in the Filter field. - Select
network.negotiate-auth.allow-non-fqdn
. If it is set to false, right-click and select Toggle. If it is already set to true, do not change it. - Close the about:config tab and close Firefox.
network.negotiate-auth.trusted-uris
:- Open Firefox.
- Type
about:config
as the target URL. - Type
neg
in the Filter field. -
Select and right click
network.negotiate-auth.trusted-uris
and select Modify. Enter a comma-separated list of the fully qualified domain name for each connector as string values, then click OK.For example, if you have two connectors—hosta.mycompany.com and hostb.mycompany.com—you click Modify, enter the following and click OK.
hosta.mycompany.com,hostb.mycompany.com
The less-secure alternative would be to enter just the domain name. For example, you would click Modify, enter the following and click OK.
mycompany.com
- Restart Firefox.
Silent authentication works without further configuration.