UiPath Documentation
orchestrator
2021.10
false
  • Getting started
    • Introduction
    • User Options
    • Logging in to Orchestrator
    • Resetting Your Password
    • My Profile
    • Robots
      • Robot Statuses
      • Robot Settings
    • Auto Updating Client Components
    • Orchestrator Configuration Checklist
  • Best practices
    • Organization Modeling in Orchestrator
    • Managing Large Deployments
    • Automation Best Practices
    • Optimizing Unattended Infrastructure Using Machine Templates
  • Tenant
    • About the Tenant Context
    • Robots
      • Managing Robots
      • Connecting Robots to Orchestrator
      • Setup Samples
      • Storing Robot Credentials in CyberArk
      • SmartCard Authentication
      • Setting up Attended Robots
      • Setting up Unattended Robots
    • Folders
      • Managing Folders
      • Classic Folders Vs Modern Folders
      • Migrating From Classic Folders to Modern Folders
      • Administration of Modern Folders
      • Personal Workspaces
      • Managing Personal Workspaces
    • Managing Access and Automation Capabilities
      • Assigning Roles
      • Managing Roles
      • Default Roles
    • Machines
      • Managing Machines
      • Assigning Machine Objects to Folders
      • Configuring Account-machine Mappings
    • Packages
      • Managing Packages
      • About Libraries
      • Managing Libraries
    • Audit
    • Credential Stores
      • Managing Credential Stores
      • CyberArk® Integration
      • CyberArk® CCP Integration
      • Azure Key Vault Integration
    • Webhooks
      • Types of Events
      • Managing Webhooks
    • Licensing
      • Managing Your Licenses
    • Alerts
      • Setting Up Alert Emails
    • Settings
      • General Tab
      • Deployment Tab
      • Security Tab
      • Scalability Tab
      • Non-Working Days Tab
  • Folders Context
    • About the Folders Context
    • Home
  • Automations
    • About Automations
  • Processes
    • About Processes
    • Managing Processes
    • Managing Package Requirements
    • About Recording
  • Jobs
    • About Jobs
    • Managing Jobs
    • Job States
    • Working with long-running workflows
  • Triggers
    • About Triggers
    • Managing Triggers
    • Using Cron Expressions
  • Logs
    • About Logs
    • Managing Logs in Orchestrator
    • Logging Levels
    • Orchestrator Logs
  • Monitoring
    • About Monitoring
    • Machines
    • Processes
    • Queues
    • Queues SLA
  • Queues
    • About Queues and Transactions
      • Queue Item Statuses
      • Business Exception Vs Application Exception
      • Studio Activities Used With Queues
    • Bulk Uploading Queue Items Using a CSV File
    • Managing Queues in Orchestrator
    • Managing Queues in Studio
    • Managing Transactions
      • Editing Transactions
      • Field Descriptions for the Transactions .csv File
    • Review Requests
  • Assets
    • About Assets
    • Managing Assets in Orchestrator
    • Managing Assets in Studio
  • Storage Buckets
    • About Storage Buckets
      • CORS/CSP Configuration
    • Managing Storage Buckets
    • Moving Bucket Data Between Storage Providers
  • Test Suite - Orchestrator
    • Test Automation
    • Test Cases
      • Field Descriptions for the Test Cases Page
    • Test Sets
      • Field Descriptions for the Test Sets Page
    • Test Executions
      • Field Descriptions for the Test Executions Page
    • Test Schedules
      • Field Descriptions for the Test Schedules Page
    • Test Data Queues
      • Managing Test Data Queues in Orchestrator
        • Manage Test Data Queues
          • Delete Test Data Queues
      • Managing Test Data Queues in Studio
      • Field Descriptions for the Test Data Queues Page
      • Test Data Queue Activities
  • Other Configurations
    • Increasing the Size Limit of Package Files
    • Setting up Encryption Key Per Tenant
    • GZIP Compression
  • Integrations
    • About Input and Output Arguments
      • Argument Permissions
      • Example of Using Input and Output Arguments
  • Classic Robots
    • Robots
      • Managing Robots
      • Robot Statuses
      • Setup Samples
    • Environments
      • Assigning Packages to Environments
      • Managing Environments
    • Jobs
      • Long-Running Workflows
        • Queues
        • Duration
    • Triggers
      • Time Triggers
        • Queued Jobs Scenarios
      • Queue Triggers
    • Monitoring
      • Robots
    • Resources
  • Host administration
    • About the host level
    • Managing system administrators
    • Managing tenants
    • Configuring host authentication settings
      • Reconfiguring authentication after upgrade
      • Allowing or restricting basic authentication
      • Configuring SSO: SAML 2.0
        • ADFS Authentication
        • Google Authentication
        • Okta Authentication
        • PingOne Authentication
        • Custom Mapping
        • Self-signed Certificates
        • Private Key Certificates
      • Configuring SSO: Google
      • Configuring SSO: Azure Active Directory
      • Configuring the Active Directory Integration
        • Switching between Active Directory adapters
      • Setting up the Azure AD Integration
    • Managing your host license
      • Allocating host licenses to organizations
    • Configuring system email notifications
    • Configuring other host settings
      • Customizing the Login page
      • Orchestrator host settings
        • Tenant Settings - Host Level
    • Audit logs for the host portal
    • Maintenance Mode
  • Organization administration
    • About organizations
    • About Licensing
      • Activating your license
    • Accounts and Groups
      • Managing Accounts and Groups
      • Account Types
      • FAQ
    • Registering External Applications
      • Managing External Applications
    • Audit logs
  • Troubleshooting
    • About Troubleshooting
    • Cron Expressions
    • Upgrade Issues
    • Frequently Encountered Orchestrator Errors
UiPath logo, featuring letters U and I in white
OUT OF SUPPORT

Orchestrator User Guide

Last updated Oct 31, 2024

Configuring the Active Directory Integration

You can enable SSO using Windows authentication and enable the directory search functionality with the Active Directory integration. Directory search lets you search for directory accounts and groups from Orchestrator and work with them as you would with local accounts.

Note:
After enabling this integration, local user accounts are linked to an Active Directory user and, in the process, their username attribute is updated to the format user@domain. Thus the user can no longer use their original username to sign in and must instead use the new username in the format user@domain, or the email address tied to the Active Directory account.
Important:

Prerequisites

  • To integrate with Windows Active Directory (AD) and use Windows Authentication, LDAP port 389 must be accessible on one or more domain controllers in your domain.
  • Work with your IT administrators to ensure the Orchestrator server can access your Active Directory (AD).

  • If you plan on using LDAP over SSL (LDAPS), you must obtain and install certificates for configuring secure LDAP on each domain controller. For more information and instructions, see the LDAP over SSL (LDAPS) Certificate article on the Microsoft website.

About Integration Options

When users log in to Orchestrator with their Active Directory credentials, Orchestrator can use either of the following 2 protocols for login: NTLM (default) or Kerberos (recommended).

Orchestrator uses Kerberos to authenticate users if configured correctly, as described on this page. If there is a failure in using Kerberos, NTLM authentication is used instead.

Step 1. Configure the Orchestrator Cluster (Kerberos Only)

If you do not want to use the Kerberos protocol for authentication, skip to the next step.

Requirements for multi-node clusters

  • The nodes in the cluster must be deployed under a load balancer. Use the load balancer host name whenever the hostname is required in these instructions.
  • The Orchestrator application pool must be configured to run under a custom identity. The custom identity should be a domain account.

Setting a Custom Identity

This is only required if you are running a multi-node cluster, or a single-node cluster with a load balancer.

For single-node clusters with no load balancer, this is optional.

  1. Open IIS (Internet Information Services Manager).
  2. In IIS, in the Connections panel on the left, click Application Pools.
  3. Go to Identity > Advanced Settings > Process Model > Identity.
  4. In the Application Pool Identity dialog, select Custom account and specify a domain-qualified user account.
  5. Click OK to apply your changes.
  6. Close IIS.


SPN Setup

If the Orchestrator application pool is configured to run under a custom identity, that account must have an SPN registered for the host name.

This step is required if you are running:

  • a multi-node cluster because you must define a custom identity or
  • a single-node cluster with a load balancer, which is treated the same as a multi-node cluster.

This step is not required if:

  • you are running a single-node cluster with no load balancer and
  • you chose to use a custom identity, but you used the cluster computer name as the custom identity

On a domain-joined machine that has write access in the target Orchestrator organization and tenant:

  1. Open the Command Prompt.
  2. Change the directory to C:\Windows\System32, by using the cd C:\Windows\System32 command.
  3. Run the command setspn.exe -a HTTP/<hostname> <domain account>, where:
    • HTTP/<hostname> - The URL at which your Orchestrator instance can be accessed.
    • <domain account> - The name or domain\name of the custom identity as which the Orchestrator application pool is running.

Step 2. Configure IIS to Enable Windows Authentication

Note: If you have a multi-node installation, you must perform IIS configuration on each of your cluster nodes.
  1. Open IIS (Internet Information Services Manager).
  2. In the Connections section, under the Sites node, select UiPath Orchestrator.
  3. In the main panel, double-click Authentication to view the details.
  4. Select Windows Authentication and then, in the Actions panel on the right, select Advanced Settings.
    Note: If not already enabled, enable Windows Authentication to continue with these instructions.
  5. Click the UiPath Orchestrator site on the left, and then double-click Configuration Editor in the main area.


  6. In the Configuration Editor, along the top, from the Section list, select system.webServer/security/authentication/windowsAuthentication.
  7. For useAppPoolCredentials, set the value to True:

Step 3. Configure Orchestrator

  1. Log in to the Management portal as a system administrator.
  2. Go to Users and select the Authentication Settings tab.
  3. In the External Providers section, click Configure under Active Directory:


    The Configure Active Directory panel opens at the right of the screen.

  4. Select the Enabled checkbox.
  5. If you want to only allow users to log in using their Active Directory credentials, select the Force automatic login using this provider checkbox.

    If selected, users can no longer log in using their Orchestrator username and password; they must use their Active Directory credentials, with a domain-qualified username.

  6. If you want to use the Kerberos protocol for authentication, select the Use Kerberos Auth checkbox.

    We recommend using Kerberos.

    • If you select this option, users are automatically signed in to Orchestrator without needing to enter their credentials.
    • If you do not select this option, the default NTLM protocol is used and users must enter their Active Directory credentials to log in.
  7. Optionally edit the value in the Display Name field to customize the label for the Windows authentication button that is displayed on the Login page.
  8. Restart the IIS site. This is required whenever you make changes to External Providers.

Step 4. Verify the Authentication Protocol

Now that the integration is configured, we recommend performing a test login using AD credentials and verifying that your chosen authentication protocol (NTLM or Kerberos) is used for logging in.

  1. Log in to Orchestrator using your Active Directory credentials to create a login event.

    Note the time when you logged in.

  2. Open Event Viewer in Windows.
  3. Go to Window Logs > Security.
  4. In the list of security events, look for the entry with the following specifics:
    • Event ID: 4624
    • Date and Time: Today's date and the time when you logged in with your Active Directory credentials.
  5. Double-click the row to open the event properties dialog.
  6. On the General tab, scroll down to the Detailed Authentication Information section and check the following:


    If Kerberos authentication was used:

    • the value of Authentication Package must be Negotiate
    • the value of Package Name must be blank (-) because this only applies for NTLM. If this value is NTLM V2, then the default authentication protocol was used and not Kerberos.

In Google Chrome incognito mode, the browser prompts for credentials and it does an explicit authentication with credentials. The flow does work and it uses Kerberos.

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated