Subscribe

UiPath Automation Suite

The UiPath Automation Suite Guide

Setting up Kerberos authentication

Prerequisites

To successfully set up Kerberos authentication, you must meet the following prerequisites:

  1. Ensure the Automation Suite cluster can access your Active Directory (AD) and SQL server. Before you can configure Kerberos authentication, work with your IT administrators to ensure the Automation Suite cluster can access your Active Directory (AD) and SQL server.
    • SQL server must join the AD domain;
    • Automation Suite cluster must be on the same network as the AD domain and SQL Server;
    • DNS set up correctly on the network so that the Automation Suite cluster can resolve the AD and SQL servers` domain names.
    • AD user with access to SQL server - with DB permissions as defined here.

📘

Note:

It is critical that the Automation Suite cluster can resolve the AD and SQL servers domain names. You can verify this by running nslookup <AD domain name> and nslookup <SQL server domain name> on the host machine.

  1. Obtain AD server and SQL server metadata to configure Kerberos authentication. Reach out to your AD administrator and obtain the following information:
    • Active Directory Domain name;
    • Active Directory user’s username - make sure this user has access to SQL server, and the username is case sensitive. This is also the "sAMAccountName" of the user.

Generate AD user’s keytab file, by executing the following PowerShell commands in the AD Server:

# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))

 

There are multiple ways to configure Kerberos authentication in Automation Suite, as shown in the following sections.

Configuring Kerberos authentication via the interactive installer


  1. When running the Automation Suite installer, specify that you want to enable Kerberos Auth in the Deployment Configuration:
===============================================================================
                            Deployment configuration
===============================================================================

Are you performing an evaluation/development/test/demo or a production deployment?
[1] Production deployment (multi-node)
[2] Evaluation/development/test/demo deployment (single-node)
Enter your choice [2]: 2

Will your deployment have access to Internet (online) or is it physically isolated from unsecured networks (air-gapped)?
[1] Online
[2] Air-gapped
Enter your choice [1]: 1
Enter the Automation Suite FQDN []: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com
sfdev1868610-d053997f-lb.eastus.cloudapp.azure.comsfdev1868610-d053997f-lb.eastus.cloudapp.azure.com

Would you like to enable Kerberos Auth? This will be used to connect to SQL Databases and Active Directory Lightweight Directory Adaptor if configured.
[1] Yes
[2] No

Enter your choice [2]: 1
  1. You are now prompted to provide the input parameters for Kerberos Auth:

📘

Note

This is the default Kerberos auth setting for all the services. If you want to set up a different AD user per service, you can specify the values in the service-specific JSON object at a later step during installation.

Specify the Active Directory domain for Kerberos Auth []: 
Specify the Ticket Granting Ticket lifetime (TGT) in hours between 8 and 168 for Kerberos Auth [8]:
Specify the default Active Directory username for Kerberos Auth []: 
Specify the default Active Directory user's keytab for Kerberos Auth []: 
Specify the SQL server FQDN []: 
Specify the SQL server connection PORT [1433]:

📘

Note

The AD domain controller has the Maximum lifetime for user ticket Kerberos setting inside the Default Domain Policy. Please make sure the ticket lifetime configured here is not longer than the server-side setting.

📘

Note:

You must generate the keytab file as described in the Prerequisites section and provide the base64 encoded value to the installer.

  1. Complete the rest of the installation experience as shown in the following example:
Would you like the databases to be automatically provisioned for all the products you've selected?
[1] Yes
[2] No

Enter your choice [1]: 1

The following databases will be provisioned automatically:
- Shared suite capabilities: AutomationSuite_Platform
- Orchestrator: AutomationSuite_Orchestrator
- Test Manager: AutomationSuite_Test_Manager
- Insights: AutomationSuite_Insights
- Automation Hub: AutomationSuite_Automation_Hub
- Automation Ops: AutomationSuite_Automation_Ops
- AI Center: AutomationSuite_AICenter
- Document understanding: AutomationSuite_DU_Datamanager


===============================================================================
                            Current config values
===============================================================================
Multi node: false
Airgapped: false
Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com
Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net
Sql port: 1433
Sql username:
Sql password:
Create sql databases: true
Kerberos Auth enabled: true
Kerberos Auth Active Directory domain: abcd.com
Kerberos Auth TGT lifetime in hours: 8
Kerberos Auth default Active Directory username: ad_user
Kerberos Auth default user's keytab: XXXXXXXXX


✅ The cluster configuration file was generated at /tmp/UiPathAutomationSuite/cluster_config.json:

[1] Continue installing with the default config
[2] Edit the config
[3] Go to the main menu

For advanced settings, quit now and manually edit the config file.
Once the configuration file is updated, run the deployment wizard again and follow the instructions.
  1. You have the option to edit the configuration, as shown below:
===============================================================================
                    Choose what setting you want to edit
===============================================================================
[1] Multi node: false
[2] Airgapped: false
[3] Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com
[4] Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net
[5] Sql port: 1433
[6] Sql username:
[7] Sql password:
[8] Create sql databases: true
[9] Kerberos Auth enabled: true
[10] Kerberos Auth Active Directory domain: abcd.com
[11] Kerberos Auth TGT lifetime in hours
[12] Kerberos Auth default Active Directory username: ad_user
[13] Kerberos Auth default user's keytab: XXXXXXXXX

 

Configuring Kerberos authentication via cluster_config.json


  1. In the cluster_config.json file, set the kerberos_auth_config.enabled parameter to true.

  2. Configure the sql_connection_string_template, sql_connection_string_template_jdbc, and sql_connection_string_template_odbc with the Integrated Security flag.

  3. If you want to set up a different AD user per service, you can specify the values in the service-specific JSON object.

Sample of updating Orchestrator and Platform to use Kerberos authentication
---
  "kerberos_auth_config": {
    "enabled" : true, 
    "ticket_lifetime_in_hour" : 8, 
    "ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN ",
    "default_ad_username": "PLACEHOLDER - INSERT ACTIVE DIRECTORY USER'S USERNAME",
    "default_user_keytab": "PLACEHOLDER - INSERT ACTIVE DIRECTORY USER'S BASE64 KEYTAB VALUE"
  },
  "sql_connection_string_template": "PLACEHOLDER",
  "sql_connection_string_template_jdbc": "PLACEHOLDER",
  "sql_connection_string_template_odbc": "PLACEHOLDER",
  "orchestrator": {
    "sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
    "kerberos_auth_config": {
      "ad_username": "PLACEHOLDER - INSERT ACTIVE DIRECTORY USER'S USERNAME",
      "user_keytab": "PLACEHOLDER - INSERT ACTIVE DIRECTORY USER'S BASE64 KEYTAB VALUE"
    }
    "testautomation": {
      "enabled": true
    },
    "updateserver": {
      "enabled": true
    }
   },
   "platform": {
    "sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
    "kerberos_auth_config": {
      "ad_username": "PLACEHOLDER - INSERT ACTIVE DIRECTORY USER'S USERNAME",
      "user_keytab": "PLACEHOLDER - INSERT ACTIVE DIRECTORY USER'S BASE64 KEYTAB VALUE"
    }
   }
  ---

 

Updating Kerberos authentication via ArgoCD UI


  1. Go to the ArgoCD UI, find the uipath application, click the APP DETAILS button in the top-left corner, and then navigate to the PARAMETERS tab.

  2. Click EDIT, update the following parameters to the value specified, and then save the new configuration. If you want to set up a different AD user per service, you can specify "ad_username" and "user_keytab" under the service.

global.kerberosAuthConfig.adDomain => "PLACEHOLDER"
global.kerberosAuthConfig.adUserName => "PLACEHOLDER"
global.kerberosAuthConfig.enabled => true
global.kerberosAuthConfig.userKeytab => "PLACEHOLDER"
global.kerberosAuthConfig.ticketLifetimeInHours => 8


global.orchestrator.kerberosAuthConfig.adUserName => "PLACEHOLDER"
global.orchestrator.kerberosAuthConfig.userKeytab => "PLACEHOLDER"

global.platform.kerberosAuthConfig.adUserName => "PLACEHOLDER"
global.orchestrator.kerberosAuthConfig.userKeytab => "PLACEHOLDER"

🚧

Note

AD domain controller has "Maximum lifetime for user ticket" Kerberos setting inside "Default Domain Policy". Please make sure the ticket life time configured here is not longer than the server side setting.

  1. SYNC the uipath application, and wait for the sync to finish with a healthy state response.

  2. Now you can update your service`s SQL connection string to start using integrated auth.

 

Updating Kerberos authentication via update CLI tool


To update Kerberos authentication via the CLI tool, see Updating Kerberos authentication.

Updated 25 days ago


Setting up Kerberos authentication


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.