PingOne for Enterprise

Add trusted sites using Group Policy

Before you begin

Requirements

  • Administrative permissions on the AD Connect domain controller (DC) for the Windows Server IIS host (or cluster of IIS hosts) for AD Connect.

About this task

For seamless SSO with AD Connect, use these instructions when you want to assign the IIS host to the Internet Explorer (IE) client’s list of trusted sites, and you are using a Group Policy for IE to do this.

You will need to create a new Group Policy Object (GPO) on the DC and assign the trusted site for AD Connect to Internet Explorer clients.

These Group Policy settings should also work for Chrome.

Steps

  1. From the DC, open Group Policy Management (in Administrative Tools).

  2. Right-click the domain, select Create a GPO in this domain, and Link it here, and enter a name for the GPO you will use for the IE trusted sites policy.

  3. Right-click on your new GPO and select Edit. The Computer Configuration and User Configuration nodes are displayed in the left pane.

  4. Expand the User Configuration node to Preferences + Windows Settings.

  5. Right-click Registry and select New, Registry Item.

  6. From the Action dropdown list, select Update.

  7. From the Hive dropdown list, select HKEY_CURRENT_USER, then click to browse for the Key Path value.

  8. Expand the HKEY_CURRENT_USER node to Preferences → Software → Microsoft → Windows → CurrentVersion → Internet Settings → ZoneMap. Click Domains → Select.

  9. In the Key Path field, go to the end of the entry and enter the domain in which the IIS host for AD Connect resides (for example, mydomain.com), and the IIS host name (for example, adConnect):

    Example:

    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mydomain.com\adConnect

    If you’re using NLB, or another clustering solution, you will specify the virtual cluster IP rather than an individual IIS host name here.

  10. In the Value name field, enter the protocol. We recommend "https".

  11. From the Value type dropdown list, select REG_DWORD, and for Value data enter "1" as the number (1 - 4) indicating the security zone to assign to the URL.

    The security zone assignments are as follows:

    • 1 - Intranet

    • 2 - Trusted Sites

    • 3 - Internet

    • 4 - Restricted

  12. Click Apply → OK and close Group Policy Management.

  13. From the command line interface, run the command: gpupdate /force.

  14. When the command finishes, close IE (if it is open) and run the gpupdate /force command again, this time from the Local Admin account.

  15. Open IE and go to Tools → Internet Options → Security → Local Intranet → Sites. You should see the URL for the IIS host for AD Connect in the list of trusted sites.

Result

This method of adding trusted sites using Group Policy applies to every IE client user in the domain, and doesn’t conflict with any URLs added by the user. You can constrain this policy by applying the GPO to a specific OU within the domain, or changing the Security Group to which the GPO should apply (in the GPO’s Scope → Security Filtering settings).