Deploy the CyberArk Identity Connector
to add Active Directory users
This topic describes how to install the CyberArk Identity Connector to integrate your Active Directory/LDAP service with Identity Administration. The CyberArk Identity Connector adds AD as a directory service by enabling secure communication between Identity Administration and your AD domain.
The CyberArk Identity Connector is installed on your network inside the firewall, runs on domain-joined Windows server, and monitors AD for changes to users and groups. AD changes are synced to Identity Administration every 10 minutes by default.
CyberArk Identity Connector load balancing guidelines
To ensure the CyberArk Identity Connector is installed properly, you must adhere to the following guidelines.
This section describes connector installation guidelines by use case.
Guidelines for all use cases
For CyberArk Identity Security Platform Shared Services with Privilege Cloud
We recommend to install the CyberArk Identity Connector on the same machine as the Privilege Cloud Connector.
Load balancing and failover
We recommend installing at least two connectors to ensure high availability. The Identity Administration tenant detects if a connector becomes unavailable and automatically switches to an available connector. There is no need to build a server cluster architecture. The Identity Administration tenant automatically chooses the connector that has the lowest latency.
Each connector that you install is listed in the Identity Administration Portal in Settings > Network > CyberArk Identity Connector.
CyberArk recommends enable automatic updates to keep up-to-date with the current version of the connector; however, we understand that in some environments it might not be possible to update software that has gone into production environments. Therefore, connector installations are supported up to the last two previous versions.
Guidelines for Active Directory (AD) integration
Consider the following guidelines if you are installing the connector to integrate with an AD environment.
Install the connector on at least two domain-joined servers.
If you have multiple domain controller (DC) locations, then install at least two connectors per physical location.
Guidelines for RADIUS authentication
For increased capacity and high availability, a load balancer can be deployed in front of multiple RADIUS-enabled connectors.
Guidelines for LDAP integration
Install at least two connectors on the same subnet as the LDAP server.
Before you begin
Ensure you have set up and verified the CyberArk Identity Connector hardware, software, and networking requirements and that you have the necessary user and administrative rights. See CyberArk Identity Connector requirements.
You should configure one or more connectors to provide continuous up time for Identity Administration services. Each connector you add is listed in the Identity Administration Portal in Settings > Network > CyberArk Identity Connector.
Identity Administration provides load balancing among all connectors with the same services installed. For example, when a request comes in, Identity Administration routes the request among the available connectors. If one connector becomes unavailable, the request is routed among the other available connectors providing automatic failover.
View the following video to learn how to install the CyberArk Identity Connector and then perform the steps described in the following procedure.
To install a connector on a host computer
Log in to the host computer with an account that has sufficient permissions to install and run the connector.
Sign in to the Identity Administration Portal, then go to Settings > Network > CyberArk Identity Connectors > Add CyberArk Identity Connector and click 64-bit in the Download pane.
The download begins.
Extract the files, then double-click the installation program: CyberArk Installer.
In the file name, rr.r indicates the release version and aa indicates the processor architecture (64-bit).
Click Yes to continue if the User Account Control warning displays.
Click through the installation wizard to install the CyberArk Identity Connector, then click Finish to launch the CyberArk Connector Configuration wizard.
installeruseruser name and password for your Identity Administration account, then click Next.
(Optional) If you are using a web proxy service, select the associated check box and specify the IP address, port, user name, and password to use.
The web proxy server must support HTTP1.1 chunked encoding.
(Optional) Assign connector permissions for user delete activities, then click Next.
To synchronize deleted objects in AD with Identity Administration, you must select an account that has permission to grant the connector computer with Read permission to the Deleted Objects container. You can use an account that is a member of the Domain Admins group, or you can delegate read permissions to the connector computer for the deleted objects container, outside of the wizard through the DSACLS command.If you are deleting users in multiple domains, make sure that you are the domain administrator for all those domains.
To specify an account with grant permission to the Deleted Objects container, you have the following options:
Use current user credential
Use the credentials for the account you are currently logged into to install the connector.
Specify alternate user credential
Use credentials for a different account. Consider this option if the account you are currently using does not have grant permission to the Deleted Objects container.
If you do not grant the connector computer with read permission to the Deleted Objects container, then users deleted in Active Directory will remain on the Users page in the Identity Administration Portal until you manually delete them. However, these deleted users will not have access to any Identity Administration functionality.
After you click Next, the configuration wizard performs several tests to ensure connectivity.
Click Next after the tests complete to register the connector with your tenant.
Click Finish to complete the configuration. The connector configuration panel displays, showing the status of the connection and your customer ID.If you have pending Windows updates that require a restart, a prompt displays asking if you want to restart now or manually restart later. You can choose to restart later without any impact to connector functionality.
After you have installed and configured at least one connector, the following changes appear in your tenant.
You can add AD objects to roles.
AD users and groups are not visible in Core Services > Users until they sign in; however, you can still search for them to add them to roles.
You can review connector details in the Identity Administration Portal at Settings > Network > CyberArk Identity Connectors.
Refer to the following table for a description of the details of each connector:
Connector details Column header Indicates
The computer name of the server where the connector is installed.
The domain name for the domain controller to which the connector is joined.
The version of the connector software.
You can configure the connector to update automatically
—see Update the Identity Connector.
The last time Identity Administration successfully pinged the connector.
The DNS short name. You can also enter a fully qualified domain name to the IE local intranet zone.
See Manage Integrated Windows Authentication (IWA) to change this name.
Displays if the Active Directory proxy service is enabled on the connector. If enabled, it means you use the Active Directory proxy service to authenticate Identity Administration users who have Active Directory accounts.
Displays if the LDAP proxy service is enabled on the connector. If enabled, it means you use the LDAP proxy service to authenticate Identity Administration users who have LDAP accounts.
Displays if App Gateway service is enabled on the connector. The App Gateway service provides remote access and single sign on to web applications provided by internal web servers.
Displays if the connector is enabled for use as a RADIUS client.
Displays if the connector is enabled for use as a RADIUS server for customers who support RADIUS authentication.
Web Server (IWA) -- Displays if the connector is configured to accept an Integrated Windows authentication (IWA) connection as sufficient authentication for users with Active Directory accounts. IWA is not available to Identity Administration account users.
Active indicates that Identity Administration can communicate with the connector.
Inactive indicates that Identity Administration cannot communicate with the connector.
Install additional connectors
You use the same procedure to download the installation wizard to the host computer and then run the wizard to install and register additional connectors. After you install and register the connector, it is added to the CyberArk Identity Connector page.