Subscribe

UiPath Automation Suite

The UiPath Automation Suite Guide

Configuring SSO: Active Directory

You can enable directory search functionality with Active Directory integration and SSO using Windows Authentication.

Known limitations

  • Directory search for users from an external trust domain is not supported because there isn't a mutually-trusted authority with external trusts.
  • Windows authentication uses the Kerberos protocol in Automation Suite, therefore Windows login can only be used with domain-joined machines.

Step 1. Configure the Active Directory integration


Work with your IT administrators to ensure the Automation Suite cluster can access your Active Directory (AD).

The Active Directory integration can be configured using either a username and password, or using Kerberos authentication.

Kerberos authentication is recommended as more scenarios are supported:

Scenario

Username and password

Kerberos Authentication

Directory search for domains in the same forest

Supported

Supported

Directory search for domains in trusted forest

Not supported

Supported

Directory search for external trust domains

Not supported

Not supported

Username and password configuration

  1. Log in to the Automation Suite host portal as a system administrator.
  2. Go to Users and select the Authentication Settings tab.
  3. In the External Providers section, click Configure under Active Directory.
    • Do not select the Enabled checkbox at this time.
    • In the Default Domain field, type your fully-qualified domain name (FQDN) for Active Directory (AD).
    • In the Username field, type the user name of an AD user. It needs to be in the format of DOMAIN\username. For example: TESTDOMAIN\user1
    • In the User Password field, type the password for the above AD account.
  4. Click Test and Save to save the changes.
  5. Restart the 'identity-service-api-*' pod. This is required after making any changes to External Providers.
    a. Connect to the primary server using SSH.
    b. Run the following command:
    kubectl -n uipath rollout restart deployment identity-service-api

Kerberos configuration

Configure Kerberos authentication

You configure Kerberos authentication as part of installation.

Enable Kerberos authentication

  1. Log in to the Automation Suite host portal as a system administrator.
  2. Go to Users and select the Authentication Settings tab.
  3. In the External Providers section, click Configure under Active Directory.
    • Do not select the Enabled checkbox at this time.
    • Select the Use Kerberos Auth checkbox.
  4. Click Test and Save to save your changes.
  5. Restart the 'identity-service-api-*' pod. This is required after making any changes to External Providers.
    a. Connect to the primary server using SSH.
    b. Run the following command:
    kubectl -n uipath rollout restart deployment identity-service-api

Step 2. Configure Windows Authentication


Prerequisites

  • Work with your IT administrators to ensure the Automation Suite cluster can access your Active Directory (AD).
  • Obtain the AD server metadata required to configure Windows Authentication with the Kerberos protocol:
    FQDN for your AD domain: This will be referred as fqdn and FQDN (uppercase characters); for example, testdomain.local and TESTDOMAIN.LOCAL.
    NetBIOS name for your AD domain: This will be referred as domain host and DOMAIN HOST (uppercase characters); for example, testdomain and TESTDOMAIN.
    * FQDN for your Automation Suite installation: The URL you use to access the Automation Suite environment. This will be referred as asfqdn; for example, uipath-34i5ui35f.westeurope.cloudapp.azure.com.

Configure the AD Server

  1. In your AD Server, create a new computer account:
    a. In the Active Directory Users and Computers console, right-click on the Computers folder, click New and then select Computer.
    b. Fill in the Computer name field with any value and finish creating the computer account.
    c. Right-click on the newly-created computer account and select Properties.
    d. Go to the Attribute Editor tab, click Filter and make sure that Show only attributes that have values is not selected.
    If you do not see the Attribute Editor, enable Advanced Features from the View tab.
    e. Locate the msDS-SupportedEncryptionTypes attribute, and update its value to 16.
  2. To generate a keytab file for the SPN, open PowerShell with admin access and execute the following command:
ktpass -princ HTTP/<Service Fabric FQDN>@<AD FQDN in cap> -pass <keyTabFilePassword> -mapuser <AD NetBIOS name in cap>\<computer name>$ -pType KRB5_NT_PRINCIPAL -out <output file path> -crypto AES256-SHA1

Some fields must be specified in uppercase. For example:

ktpass -princ HTTP/[email protected] -pass pwd123 -mapuser TESTDOMAIN\server0$ -pType KRB5_NT_PRINCIPAL -out c:\krb5.keytab -crypto AES256-SHA1
  1. To encode the generated keytab file in Base64, open PowerShell and execute the following command:
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
  1. Save the encoded keytab file to the Automation Suite cluster.

Configure the Automation Suite cluster

  1. Go to Argo CD and log in as an administrator.
  2. Select and go to the “uipath“ application.
  3. Click APP DETAILS in the top left corner.
  4. In the PARAMETERS section, search for the krb5KeytabSecret parameter.
  5. Update the parameter`s value with the base64 encoded string of keytab file you generated in the AD Server, and then save.
  6. Click SYNC to apply the change.
  7. Wait a few minutes for the Identity Server to restart automatically.

Step 3. Enable the Active Directory integration


Now that all the configuration required for the integration is complete, you can enable it.

  1. Log in to the Automation Suite host portal as a system administrator.
  2. Go to Users and select the Authentication Settings tab.
  3. In the External Providers section, click Configure under Active Directory.
  4. Select the Enabled checkbox.
  5. Restart the 'identity-service-api-*' pod. This is required after making any changes to External Providers.
    a. Connect to the primary server using SSH.
    b. Run the following command:
    kubectl -n uipath rollout restart deployment identity-service-api

Step 4. Browser configuration


Microsoft Internet Explorer

Not supported.

Microsoft Edge

No additional configuration required.

Google Chrome

  1. Go to Tools > Internet Options > Security.
  2. Select Local Intranet.
  3. Click Sites.
  4. Make sure that Automatically detect intranet network is selected or that all of the options are selected.
  5. Click on Advanced.
  6. Add the Automation Suite FQDN to the Local Intranet.
  7. Click Close and OK.
  8. Click on Custom Level.
  9. Optionally select Automatic logon only in Intranet zone under User Authentication
    If selected, when the browser receives the redirect authentication request, it checks the source of the requirement. If the domain or IP belong to the Intranet, the browser sends the user name and password automatically. If not, the browser opens a user name and password input dialog, and expects manual input.
  10. Optionally select Automatic logon with current user name and password under User Authentication.
    If selected, when the browser receives the redirect authentication request, it sends the user name and password silently. If the authentication result is successful, the browser continues to the original action. If the authentication fails, the browser opens a user name and password input dialog, and retries until successful.
  11. Make sure that Enable Integrated Windows Authentication is selected under Internet Options > Advanced tab and in the Security section.

Mozilla Firefox

  1. Open the browser configuration window.
  2. Type about:config in the address bar.
  3. Specify the Automation Suite FQDNs for which you use Kerberos authentication:
    a. Search for the term network.negotiate.
    b. Enable and set the following for Kerberos: network.negotiate-auth.delegation-uris (example value: uipath-34i5ui35f.westeurope.cloudapp.azure.com), network.negotiate-auth.trusted-uris (example value: uipath-34i5ui35f.westeurope.cloudapp.azure.com), and network.negotiate-auth.allow-non-fqdn (value: true).

Step 5. Allow Windows Authentication for the organization


Now that Automation Suite is integrated with Windows Authentication, users for which a user account is created in Automation Suite can use the Windows option on the Login page to sign in to Automation Suite.

Each organization administrator must do this for their organization if they want to allow login with Windows credentials.

  1. Log in to Automation Suite as an organization administrator.
  2. Assign an organization-level role to an Active Directory user or group.

Updated about a month ago


Configuring SSO: Active Directory


You can enable directory search functionality with Active Directory integration and SSO using Windows Authentication.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.