Internet Explorer security zones
- Internet Explorer must have integrated Windows authentication enabled. For details, see Enable Integrated Windows Authentication.
- If you are using a fully qualified domain name (FQDN) URL, the connector must be in the local intranet Internet Explorer security zone or explicitly configured as part of the local intranet security zone.
For Internet Explorer, a server is recognized as part of the local intranet security zone in one of two ways:
When the user specifies a URL that is not a fully qualified DNS domain name. For example, if you access an application with a URL such as
http://acme/index.html, Internet Explorer interprets this as a site in the local intranet security zone.By default, the connector host name is not a fully qualified DNS domain name. CyberArk Identity uses the format of
hostnameis the host name of the connector.
- When the user specifies a URL with fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer (see instructions below). For example, if you access an application with a URL such as
http://acme.mycompany.com/index.html, Internet Explorer interprets this as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone.
Depending on whether users log on to Web applications using a local intranet URL or a fully-qualified path in the URL, silent authentication may require modifying the local intranet security zone in Internet Explorer.
Use the following procedure to enable silent authentication on each computer.
- Open Internet Explorer and select Tools > Internet Options.
- Click the Advanced tab.
- Scroll down to the Security settings.
- Check the Enable Integrated Windows Authentication box.
- Restart Internet Explorer.
Add a web site to the local intranet security zone
By default, the CyberArk Identity Connector host name is not a fully qualified domain name. When this is the case, you do not need to add the URL—
https://hostname—to the local intranet, and users get silent authentication when they log in to the CyberArk Identity user portal or the Admin Portal.
However, if you change the connector host name to a fully qualified domain name, you need to add the connector host FQDN URL (
https://hostname.domain.com) in each user’s Internet Explorer Local Intranet before they can get silent authentication.
- Open Internet Explorer and select Tools > Internet Options
- Click the Security tab.
- Click the Local intranet icon.
- Click Sites.
- Click Advanced.
Type in the URL
https://hostname.domain.comin the text box and click Add. Then click Close.If there is a URL in the text box already, either delete it or click Add to save it.
- Click OK to accept the local intranet configuration settings, then click OK to close the Internet Options dialog box.