CyberArk Identity Connector requirements

Before you begin

You must meet the following hardware, software, and networking requirements to install the CyberArk Identity Connector. We recommend installing the connector on at least two servers for redundancy.

Server requirements

The following table describes requirements for connector installation. These requirements are applicable for all use cases. See Additional server requirements for Active Directory integration if you plan to integrate with Active Directory.

Minimum server requirements
Requirement Description

OS and system requirements

This computer must be in your internal network and meet or exceed the following requirements:

  • Windows Server 2016 or later

  • 8 GB of memory, of which 4 GB should be available for connector cache functions

  • 2 core CPU

  • Has Internet access so that it can access the CyberArk cloud services.

  • Has a GlobalSign Root CA - R3 certificate installed in the Local Machine Trusted Certificate root authorities store.

    Refer to for more certificate detail.

  • Microsoft .NET version 4.5 or later; if it isn’t already installed, the installer installs it for you.

  • Be a server that is always running and accessible.

Industry best practice recommends that you do not install the connector on the same server as the domain controller. Domain controllers are single-purpose systems.

Permissions on the connector machine

To install the CyberArk Identity Connector, you need local administrator rights to install software on the CyberArk Identity Connector system.

Additional server requirements for Active Directory integration

The following table describes additional server requirements if you are using the connector to integrate with an AD environment. These requirements are in addition to Server requirements.

The CyberArk Identity Connector runs under the context of the AD computer object. To authenticate AD users, this is sufficient; however, additional AD permissions are required for other CyberArk features.

Additional requirements for AD integration



System requirements

  • Server must be AD joined

  • If you are referencing accounts in tree or forest, the server can be joined to any domain in the tree (it does not need to be the root).

  • The domain that the server is joined to must have two-way, transitive trust relationships with the other domains. For details, see Authenticate users in multiple domains.

Windows permissions for running the connector installer and connector configuration wizard

You must install the connector as a domain user with at least read permissions to the AD environment.

(Optional) To grant read access to the Deleted Objects container, you must install the connector as a domain user that can grant Read permissions to the computer object that the connector is installed on. If you are not logged in as a domain administrator, you can enter the credentials of a domain administrator to grant permission. Alternately, you can have a domain administrator grant the permission outside of the wizard by delegating permission to the connector computer object through the DSACLS command. See for more information.

Windows permissions required for the Self-service password reset and account unlock features

To allow Active Directory users to change their passwords through Identity Administration, you need to delegate appropriate permissions. Refer to Delegate permissions to reset passwords and unlock accounts.

Users can then update their AD password and attributes through the User Portal if they have Active Directory SELF permissions.

CyberArk Cloud Directory user and administrative rights requirements

The following table describes the minimum Identity Administration administrative rights required to register the CyberArk Identity Connector with your tenant.

Minimum requirements to register the connector

Administrative rights


Installeruser user name and password

Install system connectors and components

To install ISPSS connectors. For security reasons, the installeruser password expires after 24 hours.