Add Active Directory as a directory service

This topic describes how to add Active Directory as a directory service in CyberArk Identity by installing the CyberArk Identity Connector.

AD users do not display on the Users page of the Identity Administration portal until the users sign in.

This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with CyberArk Identity. The CyberArk Identity Connector adds AD as a directory service by enabling secure communication between CyberArk Identity and your AD domain.

The CyberArk Identity Connector is installed on your network inside the firewall, runs on domain-joined Windows server, and monitors AD for changes to users and groups. AD changes are synced to CyberArk Identity every 10 minutes by default.

You can install additional connectors for load balancing and failover. You might also want to install more than one connector if you use multiple CyberArk Identity tenants. In most cases, you should install two connectors in a production environment. CyberArk Identity determines which connector to use by monitoring connector health and making a random selection with a bias toward healthy connectors.

CyberArk Identity Connector load balancing guidelines

To ensure the CyberArk Identity Connector is installed properly, you must adhere to the following guidelines.

This section describes connector installation guidelines by use case.

Guidelines for all use cases

Guidelines for all use cases

Consider

Guidelines

Host machine

  • Install this connector on a connector host machine that is either domain-joined, or able to resolve FQDNs in the network.

  • Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

Load balancing and failover

We recommend installing at least two connectors to ensure high availability. The CyberArk Identity tenant detects if a connector becomes unavailable and automatically switches to an available connector. There is no need to build a server cluster architecture. The CyberArk Identity tenant automatically chooses the connector that has the lowest latency.

Each connector that you install is listed in the Identity Administration portal in Settings > Network > CyberArk Identity Connector.

Automatic updates

CyberArk recommends enable automatic updates to keep up-to-date with the current version of the connector; however, we understand that in some environments it might not be possible to update software that has gone into production environments. Therefore, connector installations are supported up to the last two previous versions.

Guidelines for Active Directory (AD) integration

Consider the following guidelines if you are installing the connector to integrate with an AD environment.

  • Install the connector on at least two domain-joined servers.

  • If you have multiple domain controller (DC) locations, then install at least two connectors per physical location.

Guidelines for RADIUS authentication

For increased capacity and high availability, a load balancer can be deployed in front of multiple RADIUS-enabled connectors.

Guidelines for LDAP integration

Install at least two connectors on the same subnet as the LDAP server.

Before you begin

You must meet the following hardware, software, and networking requirements to install the CyberArk Identity Connector. We recommend installing the connector on at least two servers for redundancy.

Server requirements

The following table describes requirements for connector installation. These requirements are applicable for all use cases. See Additional server requirements for Active Directory integration if you plan to integrate with Active Directory.

Minimum server requirements
Requirement Description

OS and system requirements

This computer must be in your internal network and meet or exceed the following requirements:

  • Windows Server 2012 or later

  • 8 GB of memory, of which 4 GB should be available for connector cache functions

  • 2 core CPU

  • Has Internet access so that it can access the CyberArk cloud services.

  • Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store.

    Refer to https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates for more certificate detail.

  • Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you.

  • Be a server that is always running and accessible.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

Permissions on the connector machine

To install the CyberArk Identity Connector, you need local administrator rights to install software on the CyberArk Identity Connector system.

Additional server requirements for Active Directory integration

The following table describes additional server requirements if you are using the connector to integrate with an AD environment. These requirements are in addition to Server requirements.

The CyberArk Identity Connector runs under the context of the AD computer object. To authenticate AD users, this is sufficient; however, additional AD permissions are required for other CyberArk features.

Additional requirements for AD integration

Requirement

Description

System requirements

  • Server must be AD joined

  • If you are referencing accounts in tree or forest, the server can be joined to any domain in the tree (it does not need to be the root).

  • The domain that the server is joined to must have two-way, transitive trust relationships with the other domains. For details, see Authenticate users in multiple domains.

Windows permissions for running the connector installer and connector configuration wizard

You must install the connector as a domain user with at least read permissions to the AD environment.

(Optional) To grant read access to the Deleted Objects container, you must install the connector as a domain user that can grant Read permissions to the computer object that the connector is installed on. If you are not logged in as a domain administrator, you can enter the credentials of a domain administrator to grant permission. Alternately, you can have a domain administrator grant the permission outside of the wizard by delegating permission to the connector computer object through the DSACLS command. See https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/non-administrators-view-deleted-object-container for more information.

Windows permissions required for the Self-service password reset and account unlock features

To allow Active Directory users to change their passwords through CyberArk Identity, you need to delegate appropriate permissions. Refer to Delegate permissions to reset passwords and unlock accounts.

Users can then update their AD password and attributes through the User Portal if they have Active Directory SELF permissions.

CyberArk Cloud Directory user and administrative rights requirements

The following table describes the minimum CyberArk Identity administrative rights required to register the CyberArk Identity Connector with your tenant.

Minimum requirements to register the connector
User

Administrative rights

 Reason

Installeruser user name and password

Install system connectors and components

To install the CyberArk Identity Security Platform Shared Services connectors. For security reasons, the installeruser password expires after 24 hours.

Network and firewall requirements

All connections to the internet made by CyberArk Identity (including the CyberArk Identity Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.

To provide the redundancy and availability of an always available cloud service, the destination resource, IP address, and host for outbound connections varies. Additionally, the range of which also changes as new resources are provisioned or removed.

Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with CyberArk Identity. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.

You have the following options for allowing outbound traffic required for the CyberArk Identity Connector.

Option Description

Add the traffic source to an allow list

Given the variability of connection targets, the simplest allow list configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the CyberArk Identity Connector and for outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Add source ports to an allow list

You can also use an allow list configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the CyberArk Identity Connector, as well as outbound requests made by iOS, Android, and Mac clients. This allow list may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Add destinations to an allow list

If destination approval is required, you can add outbound ports or elastic IP addresses to an allow list.

Do not delete any CyberArk-related IP and Hostnames until you have successfully deployed the connector.
Port numbers Resource

443

*.idaptive.app is always required

*.id.cyberark.cloud is also required if your tenant was deployed after July 2022

80

privacy-policy.truste.com

80

ocsp.verisign.com

80

ocsp.globalsign.com

80

crl.globalsign.com

80

secure.globalsign.com

If adding an entire domain to an allow list is not acceptable per your organization's security policy, then you need to add the TCPRelay IPs allocated to your pod to an allow list. Contact CyberArk support for the IP addresses.

If your domain controller is on a private WAN, allow communication on the following ports (inbound to the domain controller) to facilitate communication between the domain controller and the connector host.

Port Protocol Purpose

389

TCP/UDP

LDAP

636

TCP

LDAP SSL

3268

TCP

LDAP GC

3269

TCP

LDAP GC SSL

88

TCP/UDP

Kerberos

The following diagram illustrates the default ports used by the CyberArk Identity Connector.

Install the CyberArk Identity Connector

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

You should configure one or more connectors to provide continuous up time for CyberArk Identity services. Each connector you add is listed in the Identity Administration portal in Settings > Network > CyberArk Identity Connector.

CyberArk Identity provides load balancing among all connectors with the same services installed. For example, when a request comes in, CyberArk Identity routes the request among the available connectors. If one connector becomes unavailable, the request is routed among the other available connectors providing automatic failover.

View the following video to learn how to install the CyberArk Identity Connector and then perform the steps described in the following procedure.

To install a connector on a host computer

  1. Log in to the host computer with an account that has sufficient permissions to install and run the connector.

  2. Sign in to the Identity Administration portal, then go to Settings > Network > CyberArk Identity Connectors > Add CyberArk Identity Connector and click 64-bit in the Download pane.

    The download begins.

  3. Extract the files, then double-click the installation program: CyberArk Installer.

    In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).

    Click Yes to continue if the User Account Control warning displays.

  4. Click through the installation wizard to install the CyberArk Identity Connector, then click Finish to launch the CyberArk Connector Configuration wizard.

  5. Type the installeruser user name and password for your CyberArk Identity account, then click Next.

  6. (Optional) If you are using a web proxy service, select the associated check box and specify the IP address, port, user name, and password to use.

    The web proxy server must support HTTP1.1 chunked encoding.

  7. (Optional) Assign connector permissions for user delete activities, then click Next.

    To synchronize deleted objects in AD with CyberArk Identity, you must select an account that has permission to grant the connector computer with Read permission to the Deleted Objects container. You can use an account that is a member of the Domain Admins group, or you can delegate read permissions to the connector computer for the deleted objects container, outside of the wizard through the DSACLS command.

    If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.

    To specify an account with grant permission to the Deleted Objects container, you have the following options:

    Option Description

    Use current user credential

    Use the credentials for the account you are currently logged into to install the connector.

    Specify alternate user credential

    Use credentials for a different account. Consider this option if the account you are currently using does not have grant permission to the Deleted Objects container.

    If you do not grant the connector computer with read permission to the Deleted Objects container, then users deleted in Active Directory will remain on the Users page in the Identity Administration portal until you manually delete them. However, these deleted users will not have access to any CyberArk Identity functionality.

    After you click Next, the configuration wizard performs several tests to ensure connectivity.

  8. Click Next after the tests complete to register the connector with your tenant.

  9. Click Finish to complete the configuration. The connector configuration panel displays, showing the status of the connection and your customer ID.

    If you have pending Windows updates that require a restart, a prompt displays asking if you want to restart now or manually restart later. You can choose to restart later without any impact to connector functionality.

    After you have installed and configured at least one connector, the following changes appear in your tenant.

    • You can add AD objects to roles.

      AD users and groups are not visible in Core Services > Users until they sign in; however, you can still search for them to add them to roles.

    • You can review connector details in the Identity Administration portal at Settings > Network > CyberArk Identity Connectors.

      Refer to the following table for a description of the column headings associated with each connector:

      Column header Indicates

      CyberArk Identity Connector

      The name of the computer.

      Forest

      The domain name for the domain controller to which the connector is joined.

      Version

      The version of the connector software.

      You can configure the connector to update automatically—see Update the Identity Connector.

      Last ping

      The last time CyberArk Identity successfully pinged the connector.

      Hostname

      The DNS short name. You can also enter a fully qualified domain name to the IE local intranet zone.

      See Manage Integrated Windows Authentication (IWA) to change this name.

      Enabled Services

      Service

      Description

      AD Proxy

      Displays if the Active Directory proxy service is enabled on the connector. If enabled, it means you use the Active Directory proxy service to authenticate CyberArk Identity users who have Active Directory accounts.

      LDAP Proxy

      Displays if the LDAP proxy service is enabled on the connector. If enabled, it means you use the LDAP proxy service to authenticate CyberArk Identity users who have LDAP accounts.

      App Gateway

      Displays if App Gateway service is enabled on the connector. The App Gateway service provides remote access and single sign on to web applications provided by internal web servers.

      RADIUS Client

      Displays if the connector is enabled for use as a RADIUS client.

      RADIUS Server

      Displays if the connector is enabled for use as a RADIUS server for customers who support RADIUS authentication.

      Web Server (IWA) -- Displays if the connector is configured to accept an Integrated Windows authentication (IWA) connection as sufficient authentication for users with Active Directory accounts. IWA is not available to CyberArk Identity account users.

      Status

      Active indicates that CyberArk Identity can communicate with the connector.

      Inactive indicates that CyberArk Identity cannot communicate with the connector.

Install additional connectors

You use the same procedure to download the installation wizard to the host computer and then run the wizard to install and register additional connectors. After you install and register the connector, it is added to the CyberArk Identity Connector page.

For Active Directory integrations, the host computer must be joined to the same Active Directory domain controller as the first connector in the same trust domain or forest.