0% found this document useful (0 votes)

52 views57 pages

CPC D&a - Part A - Identity

The document provides a comprehensive guide for deploying and administering the CyberArk Privilege Cloud, focusing on identity management within a virtual lab environment. It includes instructions for connecting to servers, setting up user accounts, and configuring the CyberArk Identity Connector. Additionally, it addresses considerations for international users and outlines the roles of various virtual machines in the training setup.

Uploaded by

MohamMed Arsh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

52 views57 pages

CPC D&a - Part A - Identity

Uploaded by

MohamMed Arsh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 57

r

CyberArk Privilege Cloud

Deployment & Administration

Part A:
Identity Management
CPC D&A – Part A: Identity Management

Table of Contents
INTRODUCTION TO THE SKYTAP LAB ....................................................................................... 4
USING SKYTAP ............................................................................................................................................................... 4
INTERNATIONAL USERS .................................................................................................................................................... 6

GETTING TO KNOW THE ENVIRONMENT ............................................................................... 10

CYBERARK IDENTITY ............................................................................................................. 12
CONNECT TO THE CONNECTOR1 SERVER ........................................................................................................................... 12
Copy the tenant information to the Skytap virtual machine .............................................................................. 14
SET THE PASSWORD FOR CYBERARK CLOUD TENANT ADMIN ................................................................................................. 15
Setting the IP allowlist ........................................................................................................................................ 20
Adding the Tenant Administrator's phone number ............................................................................................ 21
Creating a Support account for CyberArk Trainers ............................................................................................. 25
Set the password for the Identity installer user .................................................................................................. 27
DEPLOYING THE IDENTITY CONNECTOR ............................................................................................................................. 29
Download and Extraction ................................................................................................................................... 30
Installation .......................................................................................................................................................... 31
Configuration ...................................................................................................................................................... 34
CHECKING THE IDENTITY CONNECTOR SERVICE ................................................................................................................... 40
IDENTITY ADMINISTRATION ............................................................................................................................................ 42
Role Mappings .................................................................................................................................................... 42
Authentication Profiles ....................................................................................................................................... 44
Policy Set creation .............................................................................................................................................. 47
Forwarding Mails through the Identity Connector ............................................................................................. 50
TESTING MFA ............................................................................................................................................................. 53
DISABLING MFA AND EMAIL FORWARDING ...................................................................................................................... 55
KNOW THE PLAYERS...................................................................................................................................................... 57

CyberArk University Exercise Guide page A - 2

12/26/2024
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CPC D&A – Part A: Identity Management

CyberArk University Exercise Guide page A - 3

Introduction to the Skytap Lab

Using Skytap

Before beginning the exercises, here are a few tips to help you navigate the labs more
effectively. You can refer to the section for Error! Reference source not found. for
instructions on changing the keyboard.

The virtual machines need to be running for you to be able to do the exercises.
You can start all the virtual machines with one click by pressing the start button
(highlighted in red in the image below).

Note: The number and names of virtual machines vary by course. The image
above is given as an example and might not match exactly what you
see.

Occasionally, for reasons outside our control, one or more machines may fail to start up
when requested. If you notice that a particular machine is not responding to a ping or if
you cannot log in using Active Directory, you should check your virtual machines to
make sure they are all running properly.

Click on the large monitor icon to connect to a virtual machine with the HTML 5
client.

CyberArk University Exercise Guide page A - 4

Use the Ctrl-Alt-Del button on the toolbar to send a Ctrl-Alt-Del to the machine.

The clipboard icon will allow you to copy and paste text between your computer
and your lab machine. Do NOT copy and paste from this PDF into the Privilege
Cloud tool. It will not work.

The full-screen icon will resize your virtual screen to adapt to your computer’s
screen settings to avoid scrolling.

CyberArk University Exercise Guide page A - 5

You may need to adjust your bandwidth setting for slower connections.

International Users

By default, the lab machines are configured to use a US-English keyboard layout. If you
use a machine from a country other than the US, you may experience odd behavior from
your lab machines. The solution is to install the keyboard layout for your keyboard on
our lab machines. Follow the process below to find and configure the correct keyboard
layout for your keyboard.

From the Start Menu launch “Add a language.”

Click “Add a language.”

CyberArk University Exercise Guide page A - 6

Select your language. Click Open.

Select your specific locality or dialect. Click Add.

CyberArk University Exercise Guide page A - 7

With the option English (United States) selected, click the Move Down button.
This will make your language the default. Don’t remove US English altogether as
your instructor may need it if he/she connects to your machine.

CyberArk University Exercise Guide page A - 8

Note: If you use an alternate keyboard layout (e.g., AZERTY, Dvorak), you
can click options next to your language to install it.
Otherwise, close the Language window.

In the system tray, click ENG, then choose your keyboard layout. You may switch
back and forth between keyboard layouts, and your instructor may need to switch
back to ENG to help you with exercises.

The purpose of this training is to enable you to securely deploy the CyberArk Privilege
Cloud solution.

CyberArk University Exercise Guide page A - 9

Getting to Know the Environment

Welcome CyberArk Privilege Cloud Deployment and Administration training. The
purpose of this training is to enable you to securely deploy and administer the CyberArk
Privilege Cloud solution.

Our environment includes five virtual servers. Some host CyberArk components,
others serve as IT infrastructure like the Domain Controller, and the rest, which we often
refer to as target servers, host applications, and services for departments such as
human resources or finance.

The aim is to give trainees an environment that closely mimics a real production setup.
Therefore, it includes an Active Directory domain, a certification authority, and other
elements. Our objective is to integrate CyberArk’s Privileged Cloud into this corporate
environment and bring the privileged accounts under CyberArk’s control.

The table below lists the various servers, their roles, and configuration. Servers shaded
in blue host CyberArk services.

Host name IP Address Operating system Role

dc01 10.0.0.1 Windows 2019 Server Domain controller

Active Directory

connector1 10.0.20.1 Windows 2019 Server CyberArk Connector server

hosting:

• CPM

CyberArk University Exercise Guide page A - 10

Host name IP Address Operating system Role

• PSM

• DPA* (Windows)

• Identity Connector

unix-connector 10.0.0.4 CentOS Linux 7 CyberArk Unix Connector server

hosting:

• DPA* (Linux)

target-win 10.0.21.1 Windows 2019 Server Target Windows server

target-lin 10.0.0.2 Debian 12 Target Linux server

* Note: DPA, or CyberArk Dynamic Privileged Access, has been re-branded

as CyberArk Secure Infrastructure Access, so you may see it
referred to in this document as DPA or SIA.

Exercise tasks will be performed on the server named Connector, also known as the
02—connector1 server. This serves as the workstation for the Vault
administrator. It's important to note, however, that using a connector as a
workstation is not recommended in production and is done only to facilitate these
exercises. CyberArk services and components must be placed under secure access
and control.

Reminder: All servers are set to start automatically during the initial deployment
from the LMS. However, if there has been no activity for more than 8 hours,
the environment will automatically shut down. In such cases, you will need to
restart your VMs using the start buttons.

To save on your runtime, do not forget to shutdown your lab when you are
done for the day

CyberArk University Exercise Guide page A - 11

CyberArk Identity
In this first section, we will prepare our environments to integrate with CyberArk
Identity. For this, we will:

• Copy the tenant information to the Skytap virtual machine.

• Set the password for CyberArk Cloud Tenant Administrator.
• Set the password for the Connector installeruser.
• Install the Identity Connector.

Connect to the Connector1 server

First, we need to log into Windows. As already mentioned, we will use the Connector
server as our workstation. The account we will use is Mike, an Active Directory
Administrator who has been given the responsibility for configuring and maintaining the
Privilege Cloud solution in Acme. He is a member of the AD group CyberArk Vault
Admins.

Ensure that virtual machines are all started and click on the connector1 machine
to connect:

Once all the machines have started (this will take a few minutes), click on VM 02 -
connector1 and log in to Windows as Mike/Cyberark1.

Click the Ctrl-Alt-Del button in the Skytap toolbar at the top of the window to bring
up the login dialog. Alternatively, you can press Ctrl+Alt+End

CyberArk University Exercise Guide page A - 12

When prompted to login, use Mike as the username and Cyberark1 as the
password. Note that the machines default to the US English keyboard layout, so
you may need to adjust accordingly. Once entered, press Enter to log in.

You should now be logged into the Connector server as Mike, the CyberArk Vault
Administrator

CyberArk University Exercise Guide page A - 13

Copy the tenant information to the Skytap virtual machine

We will copy the information we received from the CyberArk Identity Security Platform
to the Skytap environment as we will need this information during the installation.

By now, you should have received an email inviting you to the CyberArk Identity
Security Platform. Copy the tenant information:

Then paste it into the Skytap clipboard, as shown below. This will allow us to copy
and paste the information required for installing and configuring the CyberArk
Connector into the virtual machine.

CyberArk University Exercise Guide page A - 14

Then, inside the virtual machine, open the TenantAdmin.txt file on your Desktop.
Paste the information into the text file and save it. Keep this file open, as we will
use it often.

Note: The XXX represents the Tenant's number. The copy-and-paste feature
can be tricky, but with a little persistence, it will work.

Set the password for CyberArk Cloud Tenant Admin

Next, you will need to log in to the CyberArk Identity Security Platform and set the
password for the administrator account. This is the account that is the administrator of
the CyberArk Privilege Cloud tenant.

CyberArk University Exercise Guide page A - 15

Watch the following video for a demonstration of the exercise.|

Step-by-step instructions are also available below

1. Connect to Connector1 as Mike/Cyberark1 if you are not already.

2. On the Connector1 machine, open Chrome and locate the Tenant URL you
copied to TenantAdmin.txt. Remember: the XXX in the image below will be
replaced by a number.

3. You will be redirected to the CyberArk Identity Security Platform login page.
Enter your Tenant Admin Login name and click Next.

CyberArk University Exercise Guide page A - 16

4. You will next be prompted for a password, which we don’t have, so click on
Forgot your password? to initiate a password reset.

Select the option to authenticate by email and click Send me an email.

CyberArk University Exercise Guide page A - 17

5. You will receive an email with an eight-digit code, which you can then fill-in then
click Authenticate.

6. Choose a preferred password and click on Next. You may also save it in your
TenantAdmin.txt.

Note: Rather than entering the code, you can click on the link Continue with
Authentication, which will also allow you to authenticate.

Make sure that your password meets the complexity requirements,

which are displayed above the Next button. Characters NOT to be used
when changing password: \&"|<>$ and space.

CyberArk University Exercise Guide page A - 18

Once the password is set, log in to the Tenant. You will be prompted again for
your Login name and the newly created password.

Then, because two-factor authentication is configured, you will be prompted to

authenticate either via email (the default) or SMS.

Once the authentication procedure is completed, you will be connected to the

CyberArk Privilege Cloud Web Portal.

CyberArk University Exercise Guide page A - 19

Tip: Now would be a good time to create a bookmark for the Privilege
Cloud Portal in Chrome to simplify the access later.

Setting the IP allowlist

Privilege Cloud requires the IP addresses for the machines running the Connectors to
be registered for security purposes. This can be done directly via the Privilege Cloud
Portal.

Watch the following video for a demonstration of the exercise.|

Step-by-step instructions are also available below

First, determine the IP addresses for the connector1 and unix–connector VMs:

On connector1, open Chrome, go to www.whatismyipaddress.com (or any similar

service), and get the public IP address. Then, enter the IPv4 address in
TenantAdmin.txt.

For unixconnector, open Putty (there is a shortcut in the taskbar), select the
connection PSM-SSH, and log in as root with the password Cyberark1. Run the
command below and note the address.

curl ifconfig.me.

Note: You may see that the two IP addresses are the same. This is normal in
our environment because Skytap is translating network addresses in the
background.

Skytap may change the public IP address if you reconnect on another

day. To avoid possible issues, it is recommended that you add an IP
Range.
i.e: 45.120.106.0/24 (this might not be the exact IP range for your
Skytap so please make sure to check it first).

Now let’s enter the allowed IPs in Privilege Cloud.

CyberArk University Exercise Guide page A - 20

Open the Privilege Cloud Portal and go to Administration | Advanced Settings

| IP allowlist.

Enter the IP addresses (or IP range) you’ve obtained and click Add to list. In this
training, we can use CIDR notation for a range of addresses by entering an
address in the format:

111.111.111.0/24

Replace the 1’s above with the address of your environment. Click Add to list.
Don’t forget to press Save at the bottom of the page.

Note: This process might take up to 10 minutes so you can continue with the
exercises and review later.

Adding the Tenant Administrator's phone number

We can use text message (SMS) confirmation codes as part of our authentication
mechanism in the authentication profile.

CyberArk University Exercise Guide page A - 21

Watch the following video for a demonstration of the exercise.|

Step-by-step instructions are also available below

First, we will provide a phone number to allow for SMS Multi-Factor

Authentication.

Note: This information will not be used by CyberArk.

In Chrome, navigate to the Identity Administration page by clicking on the 9 dots

button and then on Identity Administration:

Alternatively, if your session has timed out, reconnect with your credentials and navigate
to the Identity Administration page.

Click on Go to Identity Administration.

CyberArk University Exercise Guide page A - 22

On the first connection, an introduction screen with a short video will be displayed.
Review the material, clicking Next to move through the sections. Once you're
done, close the window.

When you reach the Identity Administration home page, in the left pane, under
Core Services, click Users.

CyberArk University Exercise Guide page A - 23

Then on the right, in the Users section, click on your Tenant Admin user:
[email protected].

Scroll down to the Mobile Number field and enter your phone number with its
country extension on which you can receive SMS or Phone Calls.

Note: This will be exclusively used for MFA purposes.

Click Save to complete the modification.

CyberArk University Exercise Guide page A - 24

Creating a Support account for CyberArk Trainers

Due to the security structure of the CyberArk Solution, the Tenant you are given for
this training is not something trainers have access to by default. In the event you need
assistance with your exercises, it is necessary to add an account that the CyberArk
Training team can use to access your environment, for example, if you manage to lock
yourself out of the system.

So, to allow a trainer to connect to the Identity environment, create a new internal user
with the System Administrator Role.

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

In the Identity Administration portal, go to Core Services | Users and click Add
User.

In Login name, type Training-XXX (replace XXX with the number of your CPC
lab).

In Email address, type [email protected].

In Display name, type Training.

CyberArk University Exercise Guide page A - 25

In Password Type, select Manual and set the password to CyberArk1234!

Scroll down to Status. Check the option for Password never expires and
uncheck the Send email invite for user portal setup.

Click Create User.

Now go to Core Services | Roles. Locate the System Administrator role and
click on it.

CyberArk University Exercise Guide page A - 26

Note: You can filter the list using the search tool at the top.

Click Members then Add.

Search for Training.

Click Add and then Save to save your changes.

Note: Add the Training User Login name and Password in your
TenantAdmin.txt so trainers can assist you.

Set the password for the Identity installer user

In this section, we will set a password for the built-in Identity user account –
[email protected]—that we will use during the different installation
processes we will run in this course.

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

CyberArk University Exercise Guide page A - 27

IMPORTANT! For security reasons, the InstallerUser's password expires every 24

hours. Therefore, whenever you use this user, you will need to reset the
password

In Identity Administration, in the left pane, under Core Services, click Users.
Then, on the right, click the All Service Users set, and then click on the
InstallerUser in the list to view the user details.

Note the full name of the Installer user in TenantAdmin.txt. You will need it
regularly as you install the various components.

Click on the Actions button then Set Password.

CyberArk University Exercise Guide page A - 28

Enter a password in the Set User Password dialog box and click Save. The
password should be alphanumeric only and not include special characters.

Note: Do NOT use the following characters when changing the password:
\/<>{}''&"$*@`| and space) (Password example: C-Uuni1234).

Once again, type this password into TenantAdmin.txt, and remember to save it.

Deploying the Identity Connector

The CyberArk Identity Connector adds Microsoft Active Directory as a directory

service by enabling secure communication between CyberArk Identity and your AD
domain. Its deployment is divided into three phases:

• Download and extraction

• Installation

CyberArk University Exercise Guide page A - 29

• Configuration

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

Download and Extraction

Navigate to the Identity Portal URL from TenantAdmin.txt.

Enter your Tenant Admin: [email protected] and its password.

Click on Settings | Network in the menu bar on the left.

Click on Set up connectors.

Select Download | Windows 64-bits. Once the file is downloaded, you can close
this dialog.

CyberArk University Exercise Guide page A - 30

The downloaded file is called CyberArk-Identity-Management-Suite-win64.zip. For

consistency, move the Zip file to C:\CyberArkFiles\ and then extract the files to that
location.

Installation

Now we will begin the actual installation of the Identity Connector.

In the extracted directory, right-click on the executable and select Run as

administrator.

Then click Yes at the UAC dialog to accept to run the software.

CyberArk University Exercise Guide page A - 31

Click Next to launch the installation wizard.

Note: Because you downloaded the latest version from the CyberArk server,
the version number in your environment may differ from the one shown
here.

Tick the box to accept the license agreement terms and then click Next.

CyberArk University Exercise Guide page A - 32

Click Next to install all tools.

Click Install.

CyberArk University Exercise Guide page A - 33

At the end of the installation, click Finish. This will end the installation phase of
CyberArk Identity Connector deployment and will immediately launch the
Connector Configuration Wizard, which we will see in the next section.

Configuration

After installation, the Connector Configuration Wizard should launch automatically.

If it does not, you can find it in the Start Menu.

On the welcome dialog, click Next.

CyberArk University Exercise Guide page A - 34

Enter the full InstallerUser username and password and click Next.

Note: While it asks for the “admin user”, what is required here is the
Installeruser.

We will not be using a web proxy, so just click Next.

CyberArk University Exercise Guide page A - 35

Uncheck the box for Activate Idaptive Pages and click Next.

In this step, we will allow the Identity Connector access to the Deleted Objects
container. Select the domain acme.corp and click Edit.

CyberArk University Exercise Guide page A - 36

Because we are logged in as Mike, who is a domain admin, we can use the current
credentials. Click OK.

Click Yes to change the container ownership and then click Next.

CyberArk University Exercise Guide page A - 37

The Connector Configuration Wizard will then execute several checks, which
should all succeed. When finished, click Next.

The Connector service will then start up, and you will see the Connector setup is
complete. Click Finish to exit the wizard.

CyberArk University Exercise Guide page A - 38

As a final step, we will verify that the changes we have made locally in our Skytap
environment have been reflected in the CyberArk Identity configuration in the
Cloud. The last connection result should show as successful.

CyberArk University Exercise Guide page A - 39

You can click Close. You may be prompted to reboot your server to complete
installation of the Identity Connector service.

Note: You may receive a connection error at this point. Occasionally, the
installation process does not release the ports. A reboot will correct this.

Checking the Identity Connector service

After Connector1 reboots, reconnect as Mike / Cyberark1.

Open Chrome and click on the bookmark for Identity Administration. Log in to
the Identity Portal with your Tenant Admin.

CyberArk University Exercise Guide page A - 40

Go to Settings | Network and confirm your Directory Forest and Connector1

hostname are present.

Open services.msc. You should have a new CyberArk Identity Connector

service up and running.

CyberArk University Exercise Guide page A - 41

Identity Administration

In this section, we will perform several tasks that simplify User administration without
compromising security. We will create:

Role Mappings: Associate groups in Active Directory with roles within

CyberArk Privileged Cloud.

Authentication Profiles: Rules for authentication. We will create both single-

and multi-factor profiles.

Policy Sets: Policies that associate roles with authentication

profiles.

Role Mappings

The CyberArk Identity Connector adds AD as a directory service by facilitating secure

communication between Identity Administration and your AD domain.

Let’s now proceed with associating the ACME Users and Groups with their Roles within
Identity.

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

In the Identity Portal, as Tenant Admin, go to Core Services | Roles then click
on Privilege Cloud Administrators, go to Members, and click Add

CyberArk University Exercise Guide page A - 42

Type CyberArk Vault in the search field, select the AD Group CyberArk Vault
[email protected], and click on the Add button.

Click on the Save button.

Repeat the process for the following Roles and their associated AD Groups

CyberArk University Exercise Guide page A - 43

Role AD Group

Privilege Cloud Safe Managers CyberArk Safe [email protected]

Privilege Cloud Auditors CyberArk [email protected]

Privilege Cloud Users CyberArk [email protected]

DpaAdmin CyberArk Vault [email protected]

Note: Any AD User who is part of one of those Security Groups is

automatically assigned to the appropriate Role upon their first login.

Authentication Profiles

Here, we will create a set of Authentication Profiles for multi-factor authentication using
passwords, email notifications, and SMS. We will also create a Single-Factor profile to
simplify access in this lab.

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

Note: Single-factor authentication significantly reduces the overall security of

your environment and should only be used in demonstration
environments. However, we will use it to make working in the training
environment easier.

Still in the Identity Portal, if you are not connected, log on with your Tenant
Admin.

CyberArk University Exercise Guide page A - 44

Go to Settings | Authentication | Authentication Profiles.

Click on Add Profile.

Name the new profile ACME Users MFA.

Enable Password for Challenge 1 and Email confirmation code and Text
Message (SMS) confirmation code for Challenge 2. Click OK when you are
finished.

CyberArk University Exercise Guide page A - 45

Repeat the operation to create an Authentication Profile named ACME Users

1FA. Select Password for Challenge 1. Do not add anything in Challenge 2.
Click OK when you are done.

Finally, create another Authentication Profile named ACME System Admin MFA.

Select Password for Challenge 1 and for Challenge 2 : Phone call, Text Message
(SMS) confirmation code and Email confirmation code (this last option is
necessary to allow the trainer access to your system).

Click OK when done and confirm the following view:

CyberArk University Exercise Guide page A - 46

Policy Set creation

Policy Sets allow us to associate Authentication Profiles with Roles so that users
who are created in Identity and assigned a particular role can connect to CyberArk
Privilege Cloud with a particular Authentication Profile and automatically be assigned
the appropriate role within the system.

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

Go to Core Services | Policies. Click on Add Policy Set.

Under Policy Settings, name the new Policy ACME MFA User Policy.

CyberArk University Exercise Guide page A - 47

Click on the radio button in Policy Assignment to select Specified Roles. This
will allow you to add new roles to the policy. Click the Add button.

Check the boxes for the four following Privilege Cloud built-in roles and click Add.

• Privilege Cloud Administrators

• Privilege Cloud Auditors
• Privilege Cloud Safe Managers
• Privilege Cloud Users

Tip: To reduce the number of options, enter the string ‘privilege’ in the
search field.

Note: For each of these roles, there are three versions: the plain one (e.g.
Privilege Cloud Users), a Basic version, and a Lite version. Make sure
you choose the plain version, as shown in the image above.

CyberArk University Exercise Guide page A - 48

Still under ACME MFA Users Policy, select the Authentication Policies tab and
then CyberArk Identity.

Set Enable authentication policy controls to Yes.

Then change the Default Profile to ACME Users MFA. Make sure to click Save
when you are done.

CyberArk University Exercise Guide page A - 49

Next, add a new Policy Set named ACME System Admin.

Click on Specified Roles, Add, and add the role System Administrator.

Go to Authentication Policies | CyberArk Identity.

Set Enable authentication policy controls to Yes.

Then change the Default Profile to ACME System Admin MFA.

Click Save when you are done.

Note: We now have two new Policy Sets, each with a different MFA Profile,
that will control how users with different Roles can access the CyberArk
solution.

Forwarding Mails through the Identity Connector

The purpose of this exercise is to enable our Connector1 server to forward emails to
our internal ACME email server (which has no access to the internet).

CyberArk University Exercise Guide page A - 50

With this enabled, we will be able to test how MFA works for the ACME Users.

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

Note: Once we have seen how MFA works, we will allow our ACME users to
connect with 1FA, which will allow us to work more quickly in the training
environment.

Connect to the Identity Portal as the Tenant Admin and go to Settings |

Customization.

Navigate to Account | System Configuration.

Check the box for Use custom SMTP server settings.

Fill in the fields as follows:

• User Name : [email protected]

• Password : Cyberark1
• Server Name or Address: 10.0.0.1
• Port: leave to default (25)
• Leave Use encrypted connection (SSL) unchecked

Check the box for Connect to SMTP server via connector (Any available).

Click Save then Send Test Email to confirm.

CyberArk University Exercise Guide page A - 51

The result should be as shown below:

CyberArk University Exercise Guide page A - 52

Note: There are two points that should be clarified.

For the purposes of training, we are using Mike’s email account as a
sort of bind account to connect to the SMTP server. In production, this
should be a dedicated service account.
In the image above, we see that the email has been successfully sent to
[email protected] (the trainer who developed this course, in
fact). In your lab, you should see your own address, which is the
address associated with the Tenant Admin. The email, however, will
never be received because of the acme.corp email server does not have
internet access.

Testing MFA

To ensure that all the steps above were executed correctly, disconnect from the Identity
Portal and close all instances of Chrome.

Relaunch Chrome and connect to the Identity Portal as Tenant Admin. You
should be prompted for MFA and able to select SMS from the dropdown menu.

Note: If you can’t see the SMS MFA choice, please contact your Trainer
immediately.

From here we will assume you selected the MFA profile for ACME Users

Close down Chrome again.

Click on the Privilege Cloud bookmark (that you created earlier) and log in as the
AD Admin [email protected]/Cyberark1.

Access the mailbox by clicking on MailEnable Web Mail and authenticate as

[email protected]/Cyberark1.

CyberArk University Exercise Guide page A - 53

Click on the link in the mail or copy/paste the code into your browser.

You will be redirected to the CyberArk Privilege Cloud Web Portal.

You might not land on the proper page at the first attempt. In this case, connect to the
following URL:
https://acme-lab-XXX.cyberark.cloud/privilegecloud/ (do not forget to replace the XXX
with your tenant ID).

Disconnect from CyberArk Privilege Cloud as Mike.

CyberArk University Exercise Guide page A - 54

Disabling MFA and Email Forwarding

Watch the following video for a demonstration of the exercise.

Step-by-step instructions are also available below

Note: From here on, for the sake of simplicity, we will disable MFA for Acme
Users.

Reconnect to Identity as the Tenant Admin and go to Identity | Core Services |

Policies.

Select ACME MFA User Policy.

Go to Authentication Policies | CyberArk Identity | Default Profile.

Select ACME Users Single 1FA.

Save the Policy.

1. Next, we will also disable email forwarding as we won’t use it anymore.

CyberArk University Exercise Guide page A - 55

2. Still in Identity, got to Settings | Customization | System Configuration.

3. Uncheck Use custom SMTP server settings, then click Save.

4. Now, AD Users can connect by providing the password only.

CyberArk University Exercise Guide page A - 56

Know the Players

Before we move to the next section of the training, let's get to know the different users
and their roles we will be using throughout the remainder of this lab. The password for
all these users is Cyberark1.

Username Auth Method Role LDAP Group

Acme-lab-XXX Identity Tenant Admin -
@cyberark.cloud.XXXXX
CyberArk Team (AD)
[email protected] LDAP Privilege Cloud CyberArk Vault Admins
Administrators
[email protected] LDAP Privilege Cloud Auditors CyberArk Auditors
Linux Team
[email protected] LDAP Privilege Cloud Safe CyberArk Safe
Manager Managers
[email protected] LDAP Privilege Cloud User LinuxAdmins
Windows Team
[email protected] LDAP Privilege Cloud Safe CyberArk Safe
Manager Managers
[email protected] LDAP Privilege Cloud User WindowsAdmins
Database Team
[email protected] LDAP Privilege Cloud Safe CyberArk Safe
Manager Managers

CyberArk University Exercise Guide page A - 57

PAM-DeF CyberArk Defender - PAM Exam Practice Questions
No ratings yet
PAM-DeF CyberArk Defender - PAM Exam Practice Questions
16 pages
Cyberark Defender
No ratings yet
Cyberark Defender
22 pages
CyberArk PSM Troubleshooting
No ratings yet
CyberArk PSM Troubleshooting
2 pages
CyberArk EPM Overview 1
No ratings yet
CyberArk EPM Overview 1
31 pages
CPC Install Exercise Guide Ispss 20230227
No ratings yet
CPC Install Exercise Guide Ispss 20230227
75 pages
CyberArk PrivilegeCloud BreakglassProcedures
No ratings yet
CyberArk PrivilegeCloud BreakglassProcedures
15 pages
CyberArk DNA User Guide
No ratings yet
CyberArk DNA User Guide
155 pages
EMC.E20-559.v2018-03-12.q94: Show Answer
No ratings yet
EMC.E20-559.v2018-03-12.q94: Show Answer
26 pages
Fin - Ops Block1 and Block2 Structure
No ratings yet
Fin - Ops Block1 and Block2 Structure
88 pages
00WS PAS Install Course Agenda
No ratings yet
00WS PAS Install Course Agenda
5 pages
Cyberark Course Content
No ratings yet
Cyberark Course Content
12 pages
Blue Prism 6 Cyberark Integration User Guide
No ratings yet
Blue Prism 6 Cyberark Integration User Guide
20 pages
SB1213 The Power of Identity and Privileged Account Security Converge 091018
No ratings yet
SB1213 The Power of Identity and Privileged Account Security Converge 091018
4 pages
Troubleshooting
No ratings yet
Troubleshooting
44 pages
Top 60 CyberArk Interview Questions You MUST Know in 2025
No ratings yet
Top 60 CyberArk Interview Questions You MUST Know in 2025
22 pages
CAU 03 Conjur - Fundamentals ConjurCLI
No ratings yet
CAU 03 Conjur - Fundamentals ConjurCLI
16 pages
Cyberark PAM
No ratings yet
Cyberark PAM
46 pages
Create AWS Network for CyberArk PAM
No ratings yet
Create AWS Network for CyberArk PAM
18 pages
Cyberark For Sap Environments
No ratings yet
Cyberark For Sap Environments
3 pages
02-PAS-ADMIN User Management
No ratings yet
02-PAS-ADMIN User Management
41 pages
Privileged Account Security Guide
100% (1)
Privileged Account Security Guide
14 pages
Privileged Account Security Guide
No ratings yet
Privileged Account Security Guide
4 pages
CAU 04 Conjur - Fundamentals VaultSynchronizer
No ratings yet
CAU 04 Conjur - Fundamentals VaultSynchronizer
33 pages
Cyberark Pam Telemetry Tool
No ratings yet
Cyberark Pam Telemetry Tool
2 pages
PVWA General Configurations Administration
No ratings yet
PVWA General Configurations Administration
5 pages
CYBERARK - Integracion de Aplicaciones
No ratings yet
CYBERARK - Integracion de Aplicaciones
13 pages
Remote Access Technical Whitepaper
No ratings yet
Remote Access Technical Whitepaper
9 pages
The Cyberark Digital Vault Built For Security
No ratings yet
The Cyberark Digital Vault Built For Security
3 pages
IT Security Admin Tools Guide
No ratings yet
IT Security Admin Tools Guide
1 page
Watchguard Cyberark Integration Guide
No ratings yet
Watchguard Cyberark Integration Guide
10 pages
Cyber Ark
No ratings yet
Cyber Ark
2 pages
Cyberark - Cau302.V2021-06-15.Q80: Leave A Reply
No ratings yet
Cyberark - Cau302.V2021-06-15.Q80: Leave A Reply
19 pages
Cyberark: Question & Answers
No ratings yet
Cyberark: Question & Answers
4 pages
CyberArk DEF Related Materials
No ratings yet
CyberArk DEF Related Materials
40 pages
System Monitoring
No ratings yet
System Monitoring
37 pages
User BR CyberArk PAS 032516 Web
No ratings yet
User BR CyberArk PAS 032516 Web
12 pages
CyberArk & Linux Engineer Profile
No ratings yet
CyberArk & Linux Engineer Profile
2 pages
Cyberark Defender: Cyberark Cau201 Version Demo
No ratings yet
Cyberark Defender: Cyberark Cau201 Version Demo
7 pages
How Do I Define An Inactivity Timeout For PSMP SSH Connections
No ratings yet
How Do I Define An Inactivity Timeout For PSMP SSH Connections
2 pages
01-PAM-ADMIN Introduction To CyberArk PAM
No ratings yet
01-PAM-ADMIN Introduction To CyberArk PAM
43 pages
Vault Security
No ratings yet
Vault Security
18 pages
PAS Install and Configure 4 Days - V1
No ratings yet
PAS Install and Configure 4 Days - V1
5 pages
BYOC How-To
No ratings yet
BYOC How-To
16 pages
ARCON PAM Brochure
No ratings yet
ARCON PAM Brochure
10 pages
Cyberark - Cau302.V2021-06-07.Q81: Show Answer
No ratings yet
Cyberark - Cau302.V2021-06-07.Q81: Show Answer
18 pages
17 CAU PIM V8x Troubleshooting
No ratings yet
17 CAU PIM V8x Troubleshooting
8 pages
CyberArk PAM System Guide
No ratings yet
CyberArk PAM System Guide
20 pages
CyberArk Notes Vault
No ratings yet
CyberArk Notes Vault
16 pages
CiberArk Defender - 230628 - 103238
No ratings yet
CiberArk Defender - 230628 - 103238
22 pages
Tenable SC For Cyber Ark
No ratings yet
Tenable SC For Cyber Ark
23 pages
CCP Load-Balancing with F5 SNAT Proxy
100% (1)
CCP Load-Balancing with F5 SNAT Proxy
4 pages
What Is PrivateArk Vault Command Line Interface
No ratings yet
What Is PrivateArk Vault Command Line Interface
1 page
Backup and Restore
0% (1)
Backup and Restore
22 pages
CyberArk DNA™ Technical FAQ
No ratings yet
CyberArk DNA™ Technical FAQ
23 pages
Conjur Fundamentals: Troubleshooting & Reporting
No ratings yet
Conjur Fundamentals: Troubleshooting & Reporting
23 pages
02-PAS-Fundamentals-The Vault
No ratings yet
02-PAS-Fundamentals-The Vault
33 pages
Infrastructure Training Lesson 4 Recap: Web - Config Explained
No ratings yet
Infrastructure Training Lesson 4 Recap: Web - Config Explained
15 pages
RSA Via L-G CyberArk AppGuide
No ratings yet
RSA Via L-G CyberArk AppGuide
66 pages
Aprile - CyberArk Privileged Account Security
No ratings yet
Aprile - CyberArk Privileged Account Security
9 pages
Cyberark 1
100% (2)
Cyberark 1
121 pages
CyberArk PAS - Adminstration PDF
100% (3)
CyberArk PAS - Adminstration PDF
321 pages
CAU EPM CDE Challenge LabGuide1
No ratings yet
CAU EPM CDE Challenge LabGuide1
21 pages
Practical Exam STD 12
No ratings yet
Practical Exam STD 12
4 pages
Incompletion Log Customization
100% (2)
Incompletion Log Customization
9 pages
Certified Data Entry and Office Assistant (Upskilling) Curriculum
No ratings yet
Certified Data Entry and Office Assistant (Upskilling) Curriculum
9 pages
Risk Analysis & R Language Basics
No ratings yet
Risk Analysis & R Language Basics
39 pages
Computer Fundamentals Overview
No ratings yet
Computer Fundamentals Overview
22 pages
Generating API Using Django Rest Framework With Insomnia
No ratings yet
Generating API Using Django Rest Framework With Insomnia
7 pages
2020 Junior Secondary Teacher Assessment Guide
No ratings yet
2020 Junior Secondary Teacher Assessment Guide
96 pages
PM Debug Info
No ratings yet
PM Debug Info
275 pages
Modern Web Development: Brought To You in Partnership With
No ratings yet
Modern Web Development: Brought To You in Partnership With
37 pages
AccuPAR LP 80 Manual
No ratings yet
AccuPAR LP 80 Manual
105 pages
Course Registration System Analysis
No ratings yet
Course Registration System Analysis
7 pages
Aesthetic Aura Wallpaper Pinterest - Google Search
No ratings yet
Aesthetic Aura Wallpaper Pinterest - Google Search
1 page
Sailee Salgaonkar: IT Engineer & SDE-1 at Myntra
No ratings yet
Sailee Salgaonkar: IT Engineer & SDE-1 at Myntra
1 page
AC1L AC3L Linux Manual BrosTrend WiFI Adapter v4
No ratings yet
AC1L AC3L Linux Manual BrosTrend WiFI Adapter v4
2 pages
Interoperability and Compatibility Between Autodesk Civil 3D Versions
No ratings yet
Interoperability and Compatibility Between Autodesk Civil 3D Versions
1 page
Nireekshith BR & Darshan K
No ratings yet
Nireekshith BR & Darshan K
5 pages
Quectel GSM FILE AT Commands Manual V1.5C
No ratings yet
Quectel GSM FILE AT Commands Manual V1.5C
24 pages
Eos Eol Notice c51 737830
No ratings yet
Eos Eol Notice c51 737830
7 pages
Plan Aws Solutions Architecht
No ratings yet
Plan Aws Solutions Architecht
5 pages
Refund Protect API Integration Guide
No ratings yet
Refund Protect API Integration Guide
11 pages
MCQ Copa
No ratings yet
MCQ Copa
16 pages
Lecture 1 - Introduction To CIS
No ratings yet
Lecture 1 - Introduction To CIS
8 pages
Certifiction List Page-2
No ratings yet
Certifiction List Page-2
8 pages
Cisco Trustsec: Security Solution Overview
No ratings yet
Cisco Trustsec: Security Solution Overview
38 pages
Ftalk Pp011 en P
No ratings yet
Ftalk Pp011 en P
4 pages
RCA Application Stage 2 Guide
No ratings yet
RCA Application Stage 2 Guide
19 pages
Gojek Case Study
0% (1)
Gojek Case Study
15 pages
Test Your Understanding - Constructor (Copy) - Attempt Review
100% (1)
Test Your Understanding - Constructor (Copy) - Attempt Review
7 pages