Authenticate users in multiple domains

You install the connector on a host Windows server that is joined to a domain controller to authenticate CyberArk Identity users who have an account in that domain. If you want CyberArk Identity to authenticate users in other domains, there are two connector installation models—which one you use depends upon whether the accounts are in trusted domains in a single forest or in multiple, independent domain trees or forests.

If all of your CyberArk Identity users have their accounts in a single domain, you can skip this topic.

Configure authentication for trusted domains

You use this model when the users’ Active Directory accounts are in domains with domain controllers that have a two-way, transitive trust relationship with the domain controller to which the connector is joined.

In this model, you have a single connector for the entire domain tree or forest. CyberArk Identity communicates through this connector for all authentication requests. When the user account is in another domain, the authentication requests are handled according to the tree-root, parent-child, forest, and shortcut trust relationship settings between the domain controllers.

If you are using Active Directory for device and policy management, all object management communications are done through the same connector as well.

By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. When you configure the trust relationship, be sure to select Forest trust. This establishes a transitive trust between one forest root domain and another forest root domain. See How Domain and Forest Trusts Work in Microsoft TechNet for more about trust relationships.

Important: For tenants created after CyberArk Identity 17.1 release, the connector by default does not perform cross forest user lookup from a local forest. To enable this functionality, contact CyberArk Support.

After you install the first connector, you should install one or more on separate host computers. The host computer for each connector must be joined to the same Active Directory domain controller. See Install the CyberArk Identity Connector for the details.

CyberArk Identity automatically creates a login suffix for the domain to which the host computer is joined plus all of the domains that the connector can see. Which domains can be seen depends upon two criteria:

  • The trust relationship between the domain controllers.

    • Only domain controllers with a two-way transitive trust meet this criteria

  • The connector’s user account permissions.

    • By default the connector is installed as a Local System user account on the Windows host. (See Permissions required for alternate accounts and organizational units for more information.) The permissions you grant to this account can affect its ability to see other domains.

When the Identity Administration portal searches Active Directory domains for users and groups (for example, when you are adding a user or group to a role), it only searches the Active Directory Users container in the domain controllers that can be seen by the connector.

Configure authentication for Independent domains in multiple forests

You use this model when the users’ Active Directory accounts are in independent domain trees or forests; that is, there are domain controllers that do not have a two-way, transitive trust relationships with each other.

In this model, you have a separate connector for each independent domain tree or forest. CyberArk Identity picks which connector to use for the authentication request based on the login-suffix-to-domain mapping it creates and maintains. When the user account is in the connector’s domain controller, the authentication requests are handled according to the tree-root, parent-child, forest, and shortcut trust relationship settings between the domain controllers in that forest or domain tree.

After you install the first connector for each independent domain tree or forest, you should install one or more on separate host computers for each one. The host computer for each connector must be joined to the same Active Directory domain controller as the initial connector for this tree or forest. See Install the CyberArk Identity Connector for the details.

CyberArk Identity automatically creates a login suffix for the domain to which the host computer is joined plus all of the domains that the connectors for each independent domain can see.

When the Identity Administration portal searches Active Directory domains for users and groups (for example, when you are adding a user or group to a role), it only searches the Active Directory Users container in the domain controllers that can be seen by the connectors. Which domains can be seen depends upon two criteria:

The trust relationship between the domain controllers.

Only domain controllers with a two-way transitive trust meet this criteria. When you configure the trust relationship, be sure to select Forest trust. This establishes a transitive trust between one forest root domain and another forest root domain. See How Domain and Forest Trusts Work in Microsoft TechNet for more about trust relationships. The connector’s user account permissions.

By default the connector is installed as a Local System user account on the Windows host. The permissions you grant to this account can affect its ability to see other domains. See Permissions required for alternate accounts and organizational units for more information.

If you are using this model, use the CyberArk Cloud Directory policy service to set mobile device policies (see Select the policy service for device management) and CyberArk Identity roles to enable users to enroll devices.