Configuring an Active Directory connection

An Active Directory (AD) connection integrates Trust Protection Foundation with your Microsoft Active Directory forest or domain. This allows the system to read user and group data directly from Active Directory in real time.

Because Active Directory connections are read-only, you manage all your external users and groups within Active Directory, but you assign their permissions internally within the Trust Protection Foundation consoles.

Prerequisites

To establish the connection, you need the following:

• The Fully Qualified Domain Name (FQDN) of your Active Directory host.
• An Active Directory service account that has permission to read the domains and search roots you want to include. You must provide this account in the User Principal Name (UPN) format (for example, administrator@example.com).
• Cloud Active Directory support info: You can connect to cloud-hosted directories. Both Azure Active Directory Domain Services and AWS Managed Microsoft AD are fully compatible with Trust Protection Foundation and follow the same configuration steps as on-premise environments.

To create an Active Directory connector

1. On the CyberArk server, open the CyberArk Configuration Console and navigate to the Connectors node.
2. In the Actions panel, under Create Identity Connectors, click Active Directory Connector.
3. On the Welcome page, log in with your master administrator credentials if prompted, and then click Next.
4. On the Before You Begin page, read the requirements and click Next.
5. On the Authentication Credentials page, enter the Username (in UPN format) and Password for your Active Directory service account, and click Next.

6. On the Connection page, enter the following information, and then click Next:

   Parameter name	Description
   Name	The Fully Qualified Domain Name (FQDN) of the host where Trust Protection Foundation will connect and access Active Directory user domains (for example, host.example.com).
   Connection	The managed directory connection type. Select Simple for an unencrypted connection, or Secure for an encrypted connection.
   Concurrency	The number of processing threads to use for searching for users in the identity provider.
   Choose Domains and Controllers Specific to this Platform	When selected, the settings you apply on the following screens will apply to this server only. This allows you to have AD connectors in different security zones or segments in your network. When checked, the "Disable Rediscovery for This Platform" option is automatically checked (it's required).
   Disable Rediscovery for This Platform	If you aren't choosing domains and controllers specific to a platform, leave this option unselected (which leaves rediscovery enabled) unless told to disable it by CyberArk Customer Support.

7. On the Domain Selection page, select the domains or forests to include, and then click Next.
8. On the Controller Selection page, review the discovered domain controllers, verify the correct controllers are selected for this network segment, and then click Next.
9. (Optional) On the Global Catalog page, review the discovered global catalogs, and then click Next.
10. On the Search Roots Selection page, select the specific containers to use as search roots, and then click Next.
    Select nodes or containers where users connecting to Trust Protection Foundation are found. If the users are in a node that is not selected, they will not be able to authenticate with Trust Protection Foundation.

11. On the Finalization page, complete the following fields:

    Parameter name	Description
    Object Name	A name for your new Active Directory provider object that appears in the administration consoles.
    Friendly Name	A friendly name for the connection. This name acts as a prefix if end-users need to explicitly route their login to this directory (for example, AD+FriendlyName\username).
    Resolve Nested Groups	(Optional) Forces Trust Protection Foundation to expand nested groups while processing notifications, approval requests, and reports.
    Rank	(Optional) The order the identity connectors are searched when looking for users. Trust Protection Foundation searches for users starting with the lowest rank number first.

12. Click Finish.
13. Restart the Trust Protection Foundation service, the Log service, and IIS on all Trust Protection Foundation servers.

Automatic discovery of domain controllers and global catalogs

Trust Protection Foundation actively monitors your Active Directory connection and automatically discovers changes to domain controllers and global catalogs. This ensures your connection remains current as your directory infrastructure evolves, without requiring manual configuration updates.

Trust Protection Foundation checks for changes in your directory environment twice daily at noon and midnight (server time). When changes are detected, the system automatically adds or removes the affected domain controllers and global catalogs. No further configuration is required.

If you view or edit the connector in CyberArk Configuration Console, you will notice that the domain controller and global catalog screens are displayed but are read-only. This is because the system manages these settings automatically.

What's next?

Your Active Directory users can now log in to the system. By default, Trust Protection Foundation verifies their credentials by securely passing the password the user enters on the login screen directly to Active Directory.

If you want to bypass local password entry and instead delegate credential verification for these users to an external identity provider, proceed to Configuring single sign-on for an identity connector to map this directory to an OpenID Connect (OIDC) or SAML profile.