Configuring Internet Explorer security zones

For users to be authenticated silently when they use Internet Explorer to open Privileged Access ServiceAdmin Portal two conditions must be met:

  • Internet Explorer must have integrated Windows authentication enabled. For details, see Enabling Integrated Windows Authentication.
  • If you are using a fully qualified domain name (FQDN) URL, the connector must be in the local intranet Internet Explorer security zone or explicitly configured as part of the local intranet security zone.

For Internet Explorer, a server is recognized as part of the local intranet security zone in one of two ways:

  • When the user specifies a URL that is not a fully qualified DNS domain name. For example, if you access an application with a URL such as http://acme/index.html, Internet Explorer interprets this as a site in the local intranet security zone.

    Note:   By default, the connector host name is not a fully qualified DNS domain name. Privileged Access Service uses the format of https://hostname, where hostname is the host name of the connector.

  • When the user specifies a URL with fully qualified name that has been explicitly configured as a local intranet site in Internet Explorer (see instructions below). For example, if you access an application with a URL such as http://acme.mycompany.com/index.html, Internet Explorer interprets this as a site that is not part of the local intranet unless the site has been manually added to the local intranet security zone.

Depending on whether users log on to Web applications using a local intranet URL or a fully-qualified path in the URL, silent authentication may require modifying the local intranet security zone in Internet Explorer.

Enabling Integrated Windows Authentication

Use the following procedure to enable silent authentication on each computer.

Adding a web site to the local intranet security zone

By default, the Centrify Connector host name is not a fully qualified domain name. When this is the case, you do not need to add the URL—https://hostname—to the local intranet, and users get silent authentication when they log in to the Privileged Access ServiceAdmin Portal.

However, if you change the connector host name to a fully qualified domain name, you need to add the connector host FQDN URL (https://hostname.domain.com) in each user’s Internet Explorer Local Intranet before they can get silent authentication.