Creating an Active Directory connection

You can use CyberArk Configuration Console to create and view Active Directory connections. Trust Protection Foundation can connect to Active Directory via an IPv4 or IPv6 connection. You can create multiple Active Directory connections as necessary.

The Active Directory Connection integrates Trust Protection Foundation with an Active Directory tree. The connection allows Trust Protection Foundation to read User and Group data directly from Active Directory. So, you can log in as an external user, view external users and groups in the Identity tree, select external users or groups as object Contacts, and assign object permissions to external users and groups.

To create an Active Directory connection

  1. Remote into the Trust Protection Foundation server as a master administrator.
  2. From the Windows Start menu, click CyberArk Configuration Console.
  3. In the left pane of CyberArk Configuration Console, click Connectors.
  4. In the right Actions pane, Click Active Directory Connector.
  5. If prompted, log in with your Trust Protection Foundation local, master administrator credentials.

  6. On the Welcome page, click Next and then log in with your credentials.

    Welcome page

  7. On the Before You Begin page, read the requirements. Be sure you know the AD root you want for the Root Selection step. Click Next.

  8. On the Authentication Credentials page, type the credentials for the Active Directory service account, and then click Next.

    The username must be in the User Principal Name (UPN) format.

    Authenticatin Credentials page

  9. On the Connection page, enter the following information, and then click Next.

    Parameter name

    Description
    Name

    The Fully Qualified Domain Name (FQDN) of the AD host where Trust Protection Foundation will connect and access Active Directory user domains, and then click Next. For example, host.example.co.

    Connection

    The managed AD directory:

    • Simple: An unencrypted connection.
    • Secure: An encrypted connection.
    Concurrency The number of processing threads to use for searching for users in the identity provider.

    Choose Domains and Controllers Specific to this Platform

    When selected, the settings you apply on the following screens will apply to this CyberArk Trust Protection Foundation - Self-Hosted server only.

    This allows you to have AD connectors in different security zones or segments in your network.

    When checked, the next box, "Disable Rediscovery for This Platform" will automatically be checked, and will be disabled, as it is required when you choose domains and controllers specific to this platform.

    Disable Rediscovery for This Platform

    If you are not choosing domains and controllers specific to a platform, leave this option unselected (which will leave rediscovery enabled) unless told to disable by CyberArk Customer Support.

    This box will automatically become selected and disabled if the previous option, "Choose Domains and Controllers Specific to this Platform," is enabled.

  10. On the Domain Selection page, select the domains or forests to include, then click Next.

    Domain Selection page

  11. On the Controller Selection page, review the discovered domain controllers, and verify the correct controllers are selected for this network segment, then click Next.

    Controller Selection page

  12. (Optional) On the Global Catalog page, review the discovered global catalogs, then click Next.

    Global Catalog page

  13. On the Search Roots Selection page, select the containers, and then click Next. If an error occurs, try the Common Name (CN) that appears in the error message as the container name.

    Select nodes or containers where users connecting to Trust Protection Foundation are found. If the users are in a node that is not selected, they will not be able to authenticate with Trust Protection Foundation.

    Search Roots Selection

  14. On the Finalization page, specify the following, and then click Finish:

    Parameter name Description
    Object Name Object Name that will appear in the Trust Protection Foundation Identity tree.
    Friendly Name A friendly name for the AD connection. This is part of the Prefix for the identity connector. The complete Prefix will end up as AD+FriendlyName. This name should be easy to use and remember. A prefixed name, for example the AD+FriendlyName, is one of the allowed login formats.
    Resolve Nested Groups (Optional) The provider expands nested groups while processing notifications.
    Rank

    (Optional) The order the Identity connectors are searched when looking for users.

    For example, let's assume the username is Bob. If there is a username called Bob in the local identity system and the AD connector, we set the identity connector to tried first. Most likely, it is the AD connector, which means the AD connector needs to have a lower rank (highest priority). You would set the rank for the AD connector to 0 and the Local identity connector to 1.

What's next

  1. Restart the Trust Protection Foundation and CyberArk Log server.
  2. Restart server services on all Trust Protection Foundation servers.
  3. Restart the IIS web server on all applicable Trust Protection Foundation servers.
  4. To review or update basic settings from CyberArk Configuration Console, click Properties.