Configure browsers for silent authentication

Silent authentication applies to Integrated Windows Authentication (IWA) and certain RADIUS authentication methods.

Silent authentication works without further configuration on Windows computers if the connector hostname is available in your DNS.

Google Chrome on macOS requires you to add an authentication server to an allowlist to successfully authenticate your users.

To configure Chrome on a Mac for silent authentication and single sign-on:
  1. Log in to your Mac device as an Active Directory user.

  2. Quit any instances of Chrome, then open the Terminal.

  3. Run the following command in a Terminal session, where <connector hostname> is the hostname set in Settings > Network > CyberArk Identity Connectors.

    defaults write com.google.Chrome AuthServerWhitelist <connector hostname> 
    If you have more than one connector configured, use a comma to separate the hostnames.

    If the changes in the previous procedure do not take effect immediately, quit Google Chrome, then use the Activity Monitor to force any remaining Google Chrome related process to quit.

To configure Edge for IWA, add your fully qualified tenant URL to the local intranet security zone.

  1. Open the Windows Settings and search Internet Options.

    The following window opens.

  2. Click Local intranet > Sites.
  3. Click Advanced.

  4. Enter the tenant specific URL into the Websites text box.

  5. Click Close.

To enable silent authentication for users logging in to CyberArk Identity user portal or the Identity Administration portal, you must import the tenant root CA to the browser and do one of the following in the users’ browser:

  • If you did not change the connector host name to a fully qualified domain name (by default it is not), set the network.negotiate-auth.allow-non-fqdn Preference Name to true.

    By default, the host name used by CyberArk Identity uses the format of
    http://hostname, where hostname is the host name of the connector.
  • If you did change the connector host name to a fully qualified domain name, you need to add the fully qualified domain names for the connector host computers to the network.negotiate-auth.trusted-uris Preference Name.

    Remember to add the fully qualified domain name every time you add a new connector host.
To configure silent authentication in Firefox using network.negotiate-auth.allows-non-fqdn:
  1. Open Firefox.
  2. Type about:config as the target URL.
  3. Type neg in the Filter field.
  4. Select network.negotiate-auth.allow-non-fqdn. If it is set to false, right-click and select Toggle. If it is already set to true, do not change it.
  5. Close the about:config tab and close Firefox.
To configure silent authentication in Firefox using network.negotiate-auth.trusted-uris:
  1. Open Firefox.
  2. Type about:config as the target URL.
  3. Type neg in the Filter field.
  4. Select and right click network.negotiate-auth.trusted-uris and select Modify. Enter a comma-separated list of the fully qualified domain name for each connector as string values, then click OK.

    For example, if you have two connectors—hosta.mycompany.com and hostb.mycompany.com—you click Modify, enter the following and click OK.

    hosta.mycompany.com,hostb.mycompany.com

    The less-secure alternative would be to enter just the domain name. For example, you would click Modify, enter the following and click OK.

    mycompany.com
  5. Restart Firefox.

Silent authentication works without further configuration.

Silent authentication works as installed with Windows Firewall. If you are using a different firewall system, be sure to allow traffic on the port specified in CyberArk Identity Connectors in Settings in the Identity Administration portal. By default, this port is 80.