- Overview
- Requirements
- Recommended: Deployment templates
- Manual: Preparing the installation
- Manual: Preparing the installation
- Step 1: Configuring the OCI-compliant registry for offline installations
- Step 2: Configuring the external objectstore
- Step 3: Configuring High Availability Add-on
- Step 4: Configuring Microsoft SQL Server
- Step 5: Configuring the load balancer
- Step 6: Configuring the DNS
- Step 7: Configuring the disks
- Step 8: Configuring kernel and OS level settings
- Step 9: Configuring the node ports
- Step 10: Applying miscellaneous settings
- Step 12: Validating and installing the required RPM packages
- Step 13: Generating cluster_config.json
- Cluster_config.json Sample
- General configuration
- Profile configuration
- Certificate configuration
- Database configuration
- External Objectstore configuration
- Pre-signed URL configuration
- ArgoCD configuration
- External OCI-compliant registry configuration
- Disaster recovery: Active/Passive and Active/Active configurations
- High Availability Add-on configuration
- Orchestrator-specific configuration
- Insights-specific configuration
- Process Mining-specific configuration
- Document Understanding-specific configuration
- Automation Suite Robots-specific configuration
- AI Center-specific configuration
- Monitoring configuration
- Optional: Configuring the proxy server
- Optional: Enabling resilience to zonal failures in a multi-node HA-ready production cluster
- Optional: Passing custom resolv.conf
- Optional: Increasing fault tolerance
- Adding a dedicated agent node with GPU support
- Adding a dedicated agent Node for Task Mining
- Connecting Task Mining application
- Adding a Dedicated Agent Node for Automation Suite Robots
- Step 15: Configuring the temporary Docker registry for offline installations
- Step 16: Validating the prerequisites for the installation
- Manual: Performing the installation
- Post-installation
- Cluster administration
- Managing products
- Getting Started with the Cluster Administration portal
- Migrating objectstore from persistent volume to raw disks
- Migrating from in-cluster to external High Availability Add-on
- Migrating data between objectstores
- Migrating in-cluster objectstore to external objectstore
- Migrating to an external OCI-compliant registry
- Configuring the FQDN post-installation
- Setting up Kerberos authentication
- Setting up Elasticsearch and Kibana
- Switching to the secondary cluster manually in an Active/Passive setup
- Disaster Recovery: Performing post-installation operations
- Converting an existing installation to multi-site setup
- Guidelines on upgrading an Active/Passive or Active/Active deployment
- Guidelines on backing up and restoring an Active/Passive or Active/Active deployment
- Monitoring and alerting
- Migration and upgrade
- Migrating between Automation Suite clusters
- Upgrading Automation Suite
- Downloading the installation packages and getting all the files on the first server node
- Retrieving the latest applied configuration from the cluster
- Updating the cluster configuration
- Configuring the OCI-compliant registry for offline installations
- Executing the upgrade
- Performing post-upgrade operations
- Applying a patch
- Product-specific configuration
- Best practices and maintenance
- Troubleshooting
- How to troubleshoot services during installation
- How to uninstall the cluster
- How to clean up offline artifacts to improve disk space
- How to clear Redis data
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to disable streaming logs for AI Center
- How to debug failed Automation Suite installations
- How to delete images from the old installer after upgrade
- How to disable TX checksum offloading
- How to manually set the ArgoCD log level to Info
- How to expand AI Center storage
- How to generate the encoded pull_secret_value for external registries
- How to address weak ciphers in TLS 1.2
- How to check the TLS version
- Unable to run an offline installation on RHEL 8.4 OS
- Error in downloading the bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- SQL connection string validation error
- Prerequisite check for selinux iscsid module fails
- Azure disk not marked as SSD
- Failure after certificate update
- Antivirus causes installation issues
- Automation Suite not working after OS upgrade
- Automation Suite requires backlog_wait_time to be set to 0
- Volume unable to mount due to not being ready for workloads
- Support bundle log collection failure
- Single-node upgrade fails at the fabric stage
- Upgrade fails due to unhealthy Ceph
- RKE2 not getting started due to space issue
- Volume unable to mount and remains in attach/detach loop state
- Upgrade fails due to classic objects in the Orchestrator database
- Ceph cluster found in a degraded state after side-by-side upgrade
- Unhealthy Insights component causes the migration to fail
- Service upgrade fails for Apps
- In-place upgrade timeouts
- Docker registry migration stuck in PVC deletion stage
- AI Center provisioning failure after upgrading to 2023.10 or later
- Upgrade fails in offline environments
- SQL validation fails during upgrade
- snapshot-controller-crds pod in CrashLoopBackOff state after upgrade
- Setting a timeout interval for the management portals
- Authentication not working after migration
- Kinit: Cannot find KDC for realm <AD Domain> while getting initial credentials
- Kinit: Keytab contains no suitable keys for *** while getting initial credentials
- GSSAPI operation failed due to invalid status code
- Alarm received for failed Kerberos-tgt-update job
- SSPI provider: Server not found in Kerberos database
- Login failed for AD user due to disabled account
- ArgoCD login failed
- Update the underlying directory connections
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis probe failure
- RKE2 server fails to start
- Secret not found in UiPath namespace
- ArgoCD goes into progressing state after first installation
- MongoDB pods in CrashLoopBackOff or pending PVC provisioning after deletion
- Pods stuck in Init:0/X
- Missing Ceph-rook metrics from monitoring dashboards
- Running High Availability with Process Mining
- Process Mining ingestion failed when logged in using Kerberos
- After Disaster Recovery Dapr is not working properly for Process Mining and Task Mining
- Unable to connect to AutomationSuite_ProcessMining_Warehouse database using a pyodbc format connection string
- Airflow installation fails with sqlalchemy.exc.ArgumentError: Could not parse rfc1738 URL from string ''
- How to add an IP table rule to use SQL Server port 1433
- Automation Suite certificate is not trusted from the server where CData Sync is running
- Running the diagnostics tool
- Using the Automation Suite support bundle
- Exploring Logs
Setting up Kerberos authentication
To successfully set up Kerberos authentication, you must meet the following prerequisites:
Before you can configure Kerberos authentication, work with your IT administrators to ensure the Automation Suite cluster can access your AD.
The following requirements must be met:
- Automation Suite cluster must be on the same network as the AD domain;
-
DNS must be set up correctly on the network so that the Automation Suite cluster can resolve the AD domain names.
Note: It is critical that the Automation Suite cluster can resolve the ADdomain names
. You can verify this by runningnslookup <AD domain name>
on the host machine.
Generating Kerberos default keytab and username parameters
Option 1: by Running the script (recommended)
- Log in with your AD administrator account on a Windows domain-joined machine.
- Run the keytab-creator.ps1 script as administrator.
- Input the following values to the script:
Service Fabric FQDN
. For example,uipath-34i5ui35f.westeurope.cloudapp.azure.com
.AD domain FQDN
. For example,TESTDOMAIN.LOCAL
.- An AD user account. You can use an existing account, such as
sAMAccountName
, or you can allow the script to create a new one.
<KERB_DEFAULT_USERNAME>
and <KERB_DEFAULT_KEYTAB>
parameters required by the Kerberos setup.
Option 2: Manually
<KERB_DEFAULT_USERNAME>
and <KERB_DEFAULT_KEYTAB>
for that account as follows:
To configure the UiPath® cluster to connect to SQL using Windows integrated authentication/Kerberos, you need to perform a few additional steps:
- the SQL server must join the AD domain;
- the Automation Suite cluster must be on the same network as the SQL Server;
- the Automation Suite cluster can resolve the AD and SQL servers` domain names;
- the AD user must have access to SQL server and DB permissions.
To create a new login in SQL Server Management Studio, take the following steps:
a. In the Object Explorer panel, navigate to Security > Logins.
b. Right-click the Logins folder and select New Login. The Login - New window is displayed.
c. Select the Windows Authentication option. The window is updated accordingly.
d. In the Login name field, type the user domain you want to use as a service account.
e. From the Default Language list, select English.
f. Click OK. Your configurations are saved.
If the service account has already been created and added to the Security > Logins section of the SQL Server, please check whether the Default Language of that SQL account is set to English. If it isn't, please make the necessary adjustments.
db_owner
user mapping role, as in the following screenshot.
db_owner
user mapping role with the UiPath® login, grant the following permissions:
-
db_datareader
-
db_datawriter
-
db_ddladmin
-
EXECUTE
permission ondbo
schema
EXECUTE
permission has to be granted by using the GRANT EXECUTE
SQL command, as follows:
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\)\)user]
GO
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\)\)user]
GO
Integrated Security=True
, you need to create a unique keytab for each UiPath® application, as follows. This will be referred to as <KERB_APP_KEYTAB>
for that application.
Generating Kerberos application keytab and username parameters
Option 1: by Running the script (recommended)
- Run the service-keytab-creator.ps1 script.
- Input the following values to the script:
AD domain FQDN
. For example,TESTDOMAIN.LOCAL
.- The username and password of an AD user account. For example, the AD user account
sAMAccountName
and its password.
<KERB_APP_USERNAME>
and <KERB_APP_KEYTAB>
parameters required by Kerberos.
Option 2: Manually
Run the following script manually:
# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
<AD username>
will be the <KERB_APP_USERNAME>
corresponding to the <KERB_APP_KEYTAB>
.
This section explains how you can configure Automation Suite as a Kerberos client for LDAP or SQL access.
<KERB_DEFAULT_KEYTAB>
, configure Automation Suite as a
Kerberos client in one of the following ways:
- Configuring Kerberos authentication via the interactive installer
- Configuring Kerberos authentication via cluster_config.json
-
Note: If you want to set up different services to run under their own AD account, and access SQL as that AD account, you can specify
ad_username
with that<KERB_APP_USERNAME>
, anduser_keytab
as<KERB_APP_KEYTAB>
under the configuration section of the service.
- In the
cluster_config.json
file, set thekerberos_auth_config.enabled
parameter totrue
. - If you want to use Kerberos for SQL access, configure the
sql_connection_string_template
,sql_connection_string_template_jdbc
, andsql_connection_string_template_odbc
with the Integrated Security flag. - If you want to set up a different AD user per service, take the following steps:
- After updating the
cluster_config.json
, run the installer script to update the configuration. For details, see Managing products.
Sample of updating Orchestrator and the platform to use Kerberos authentication
"kerberos_auth_config": {
"enabled" : true,
"ticket_lifetime_in_hour" : 8,
"ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN ",
"default_ad_username": "PLACEHOLDER - INSERT KERB_DEFAULT_USERNAME",
"default_user_keytab": "PLACEHOLDER - INSERT KERB_DEFAULT_KEYTAB"
},
"sql_connection_string_template": "PLACEHOLDER",
"sql_connection_string_template_jdbc": "PLACEHOLDER",
"sql_connection_string_template_odbc": "PLACEHOLDER",
"orchestrator": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for Orchestrator",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for Orchestrator"
}
"testautomation": {
"enabled": true
},
"updateserver": {
"enabled": true
}
},
"platform": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for platform",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for platform"
}
}
"kerberos_auth_config": {
"enabled" : true,
"ticket_lifetime_in_hour" : 8,
"ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN ",
"default_ad_username": "PLACEHOLDER - INSERT KERB_DEFAULT_USERNAME",
"default_user_keytab": "PLACEHOLDER - INSERT KERB_DEFAULT_KEYTAB"
},
"sql_connection_string_template": "PLACEHOLDER",
"sql_connection_string_template_jdbc": "PLACEHOLDER",
"sql_connection_string_template_odbc": "PLACEHOLDER",
"orchestrator": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for Orchestrator",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for Orchestrator"
}
"testautomation": {
"enabled": true
},
"updateserver": {
"enabled": true
}
},
"platform": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for platform",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for platform"
}
}
Service groups and services
cluster_config.json
file, or in the ArgoCD UI.
Service group name for
cluster_config.json |
Service group name for ArgoCD |
Included services |
---|---|---|
|
|
Orchestrator, Webhooks |
|
|
Identity, License Accountant (LA), Audit, Location, License Resource Manager (LRM), Organization Management Service (OMS) |
|
|
Automation Hub, Task Mining |
|
|
Test Manager |
|
|
Automation Ops |
|
|
AI Center |
|
|
Document Understanding |
|
|
Insights |
|
|
Data Service |
|
|
Automation Suite Robots |
|
|
Process Mining |
For Kerberos authentication to be used when logging in to Automation Suite, you must further configure Automation Suite host settings.
To remove Kerberos authentication completely, take the following steps:
- If you used Kerberos to configure AD integration, reconfigure AD with the username and password option by following the instructions in Configuring the Active Directory integration.
- If you used SQL integrated authentication, configure the SQL connection strings to use User Id and Password.
- Disable Kerberos authentication. In the
cluster_config.json
file, set thekerberos_auth_config.enabled
parameter tofalse
, then run the installer script to update the configuration. For details, see Managing products.
To remove SQL integrated authentication, take the following steps:
- Configure the SQL connection strings to use User Id and Password.
- If want to disable SQL integrated authentication for all the services, in the
cluster_config.json
file, set thekerberos_auth_config.enabled
parameter tofalse
and then run the installer script to update the configuration. For details, see Managing products.
If you encounter any issues while configuring Kerberos, see Authentication troubleshooting.
- Prerequisites
- Ensuring the Automation Suite cluster can access your AD
- Configuring the AD service account for Kerberos authentication
- Optional: SQL authentication prerequisites
- Configuring Automation Suite as a Kerberos client
- Configuring Kerberos authentication via the interactive installer
- Configuring Kerberos authentication via cluster_config.json
- Configuring the Active Directory integration
- Disabling Kerberos authentication
- Removing Kerberos authentication completely
- Removing SQL integrated authentication
- Kerberos troubleshooting