Installing and Configuring a Connector

The connector is a multipurpose service that enables secure communication between your internal network and Privileged Access Service. Multi-factor authentication requires at least one connector to be installed on your network inside of the firewall. The connector provides the link between your internal Active Directory forest and the Privileged Access Service platform.

You can install more than one connector for your organization to support fail-over and load balancing. You might also want to install more than one connector if you are using multiple instances of Privileged Access Service or have access to more than one customer-specific Identity platform instance URLs. In most cases, you should install at least two connectors in a production environment.

Make sure that the account you're logged into on the computer has the appropriate permissions to install the Cloud Connector.

For details about installing and configuring the connector, please see the Privileged Access Service help:

Establishing a Connector Identity for Multi-Factor Authentication

In order to enable multi-factor authentication for Delinea-managed UNIX and Linux machines, the connector must validate the machine credentials using the Integrated Windows Authentication (IWA) service. To use the IWA service, your connectors must be configured to use an HTTPS-enabled port.

To configure connectors to use an HTTPS-enabled port, you must either download a host certificate issued by Delinea, or upload a host certificate issued by a Certificate Authority (CA) already trusted by your environment.

To configure Windows computers for multi-factor authentication, you must establish an initial trust relationship between the Windows machine and the Cloud Connector. Since the connector accesses the IWA service through a secure HTTPS channel, you must validate the correct certificate during installation when enabling multi-factor authentication for login.

If you are operating in an evaluation environment, and cannot easily set up the required certificate trust relationship, you have the option to skip this step during installation and trust your own connector without enrolling in the IWA service. In this case, the computer is connected directly to the Delinea Platform, and multi-factor authentication can be enabled. Note, however, that this should only be done in an evaluation environment, as it has serious security implications in a live production environment.

If you have chosen not to establish the trust relationship, but wish to do so in the future, you can either leave and then rejoin a zone if you are joined to one, or you can disable and then re-enable multi-factor authentication for login to launch the configuration wizard.

To configure a connector to use a Delinea-issued root certificate

  1. In the Admin Portal, click Settings >Network.
  2. Select the connector you want to configure, and choose Modify from the Actions menu.
  3. In IWA Service, click Download your IWA root CA Certificate to retrieve the public certificate for the tenant-specific CA certificate issued by Delinea.
  4. Click Download to download the host certificate issued by Delinea for your connector.

You can export the trusted root CA certificate issued by Delinea, tenantname-root.cer, and manually install it on a local computer, or use group policy to distribute the certificate file as a trusted root certificate to multiple computers.

To Import the Certificate Manually to a Local Windows Computer

  1. Right click on the certificate you downloaded in To configure a connector to use a Delinea-issued root certificate.

  2. Select Install Certificate to start the Certificate Import Wizard.

  3. Select Local Machine and click Next.

  4. Select Place all certificates in the following store and click Browse.

  5. Select Trusted Root Certification Authorities and click OK.

  6. Click Next and then Finish to complete the Wizard.

    A Windows Security Warning may be displayed. Click Yes to finish installing the certificate.

To Export the Certificate for Bulk Group Policy Distribution

  1. Select the trusted root certificate you downloaded, right-click, then click Open.
  2. Click the Details tab and click Copy to file to start the Certificate Export Wizard, then click Next.
  3. Select DER encoded binary X.509 (.CER) as the file format, then click Next.
  4. Click Browse to select a location on the local server, type a file name and click Save, then click Next.
  5. Click Finish.

To Distribute the Certificate using Group Policy

  1. Open Group Policy Management to select the group policy object that defines the IP Security policies, then click Edit.

  2. Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.

  3. Select Trusted Root Certification Authorities, right click, and select Import to open the Certificate Import Wizard.

  4. Click Next on the Welcome screen.

  5. Browse to find the root certificate you downloaded, then click to accept the default values on each screen.

  6. Click Finish to complete the wizard.

    The root certificate is now in the Active Directory Trusted Root Certification Authorities container. Group policy publishes all certificates in this container to computers joined to the domain. You can also run the gpupdate command from a command prompt to push the certificates to the computers in the domain.

Using a certificate not issued by Delinea with the Cloud Connector

If you want to use a certificate issued by a CA that is trusted by your organization, you must upload the certificate from the Cloud Connector Configuration program. Doing this ensures that the computer credentials can be validated for secure communication between the connector and the authentication server. The issuer of the certificate must also be trusted by resources running agents.

To use an externally issued certificate for a Cloud Connector

  1. In the Admin Portal, click Settings > Network > Delinea Connectors.

  2. Select the connector you want to configure, and choose Modify from the Actions menu.

  3. Click IWA Service.

  4. Click Upload and navigate to the location of the certificate trusted by your organization.

    You may get the following error while enrolling a Windows agent/machine into the cloud-based CIS with debugging enabled:

An error occurred while sending the request. ---\> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---\> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

If so, check your local machine trusted root CA. The server may not have the corresponding DigiCert Global Root CA installed. If so, export the local certificate. Then import the certificate to the server. After that, you should be able to enroll the server.

Verify Open Ports

Multi-factor authentication requires the following ports to be open for inbound communication and domain traffic:

  • Port 8080 for HTTP API proxy
  • Port 8443 for secure HTTP (HTTPS) connections

Installing the connector automatically sets Windows firewall rules to open these ports. However, if you are using a third-party firewall instead of the default Windows firewall, you should manually modify the port rules to allow the Server Suite Agent for Windows to communicate with the Cloud Connector. Both ports are required because integrated Windows authentication over HTTPS uses port 8443 to enable the connector to receive inbound connections from the agents.