订阅

UiPath Automation Suite

UiPath Automation Suite 指南

配置 Active Directory 集成

您可以使用 Windows 身份验证启用 SSO,并通过 Active Directory 集成启用目录搜索功能。
目录搜索可让您搜索目录帐户和组,并像使用本地帐户一样使用它们。

已知限制

  • Directory search does not find users from an external trust domain. This feature is not supported because there isn't a mutually-trusted authority with external trusts.
  • Windows 身份验证使用 Automation Suite 中的 Kerberos 协议,因此 Windows 登录只能用于已加入域的计算机。

步骤 1. 配置 Active Directory 集成


与您的 IT 管理员合作,确保 Automation Suite 集群可以访问您的 Active Directory (AD)。

可以使用以下两个选项之一配置 Active Directory 集成:
a. Kerberos 身份验证
b. 用户名和密码

Instructions for each are available below. Follow the ones that apply for your selected authentication protocol.

建议使用 Kerberos 身份验证,因为它支持更多方案:

Scenario

Username and password

Kerberos Authentication

Directory search for domains in the same forest

Supported

Supported

Directory search for domains in a trusted forest

Not supported

Supported

Directory search for external trust domains

Not supported

Not supported

a. Kerberos 配置(推荐)

  1. 按照设置 Kerberos 身份验证中的说明配置 Kerberos 身份验证。
  2. 以系统管理员身份登录 Automation Suite 主机门户
  3. 前往安全性设置
  4. 在“外部提供程序”部分中,单击 Active Directory 下的“配置”。
    • Select the Enabled checkbox to enable the integration.
    • Select the Force automatic login using this provider checkbox if you want to only allow login with Active Directory accounts. Only do this if the integration with the provider has been successfully validated to prevent lockout.
    • In the Display Name field, type the text you want to show under this login option on the Login page.
    • Leave the Use Kerberos Auth checkbox selected.
  5. 单击“测试并保存”,以保存更改。
  6. Restart the identity-service-api-* pod.
    a. 通过 SSH 连接到主服务器。
    b. 运行以下命令:
    kubectl -n uipath rollout restart deployment identity-service-api

b. Username and password configuration

When you use this option, UiPath service uses credentials provided in clear text to communicate with Active Directory. To prevent this, we recommend using LDAP over SSL (LDAPS) with this configuration.
Only users from the same forest as the one configured in this page can interact with the UiPath cluster. Users from trusted forests will not be able to login to this UiPath cluster.

b.1. Prerequisite for using LDAPS

If you intend to use LDAP over SSL (LDAPS), then you must first configure LDAP over SSL in your AD environment and obtain the root certificate to be used in UiPath cluster configuration.

  1. Obtain and install the SSL certificate for LDAPS on each domain controller.
    For more information and instructions, see the article LDAP over SSL (LDAPS) Certificate.
  2. Encode the root certificate in Base64 by running the following command:
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<Path to the .crt or .cer file>"))
  1. Add the encoded root certificate in ArgoCD:
    a. Log in to ArgoCD.
    b. Select and go to the uipath application.
    c. In the top left corner, click APP DETAILS.
    d. In the Parameters section, search for the parameter global.userInputs.certificate.identity.ldaps.customRootCA
    e. Update the value of the parameter to the encoded content you obtained earlier.
    f. Save.
    g. Click SYNC to apply your changes.

b.2. Active Directory configuration

  1. 以系统管理员身份登录 Automation Suite 主机门户
  2. 前往安全性设置
  3. 在“外部提供程序”部分中,单击 Active Directory 下的“配置”。
    • 选择已启用复选框。
    • If you want to only allow login with Active Directory accounts, select the Force automatic login using this provider checkbox.
    • (Optional, but strongly recommended) Select the Use LDAP over SSL (LDAPS) checkbox.
    • The Use Kerberos Auth checkbox must be cleared.
    • In the Display Name field, type the name you want to show on the Login page for this sign in option.
    • 在“默认域”字段中,键入 Active Directory (AD) 的完全限定域名 (FQDN)。
    • In the Username field, type the user name of an AD user. It needs to be in the format DOMAIN\username. For example, TESTDOMAIN\user1
    • 在“用户密码”字段中,键入上述 AD 帐户的密码。
  4. 单击“测试并保存”,以保存更改。
  5. Restart the identity-service-api-* pod.
    a. 通过 SSH 连接到主服务器。
    b. 运行以下命令:
    kubectl -n uipath rollout restart deployment identity-service-api

故障排除

Domain unreachable

If you get the error Domain unreachable, check the DNS routing using the command getent ahosts <AD domain>
If it does not return an IP address, check the node /etc/resolv.conf. The nameserver value should point to the AD Domain DNS. If not, reach out to your system administrator for proper configuration.

If the node runs on Azure, follow the instructions in Name resolution for resources in Azure virtual networks.
一种方法是:

  1. 在 Azure 中,转到节点虚拟网络并将虚拟网络 DNS 服务器设置为 Active Directory DNS。
  2. 运行 systemctl restart NetworkManager.service and check if /etc/resolv.conf is updated.
  3. 重新启动 ArgoCD 中的集群核心 DNS。

Domain unreachable while using LDAPS

If you get the error Domain unreachable when LDAPS is enabled, it may be caused by having the wrong certificate in use.

Check if you have multiple certificates valid for Server Authentication in the LDAP server's local computer certificate store. If so, a different certificate than the one you want may be used for LDAPS communications.
The easiest resolution is to remove all unnecessary certificates from the local computer certificate store and have only one certificate that is valid for server authentication.

 

步骤 2. 配置 Windows 身份验证


先决条件

Obtain the <KERB_DEFAULT_KEYTAB>, which is the base64-encoded string of the keytab file generated as part of Kerberos setup.

配置 Automation Suite 集群

  1. 转到 Argo CD 并以管理员身份登录。
  2. 选择并转到“UiPath”应用程序。
  3. 单击左上角的“应用程序详细信息”。
  4. In the PARAMETERS section, search for the global.userInputs.identity.krb5KeytabSecret parameter.
    默认情况下,该参数具有占位符值。
  5. Update the parameter's placeholder value with <KERB_DEFAULT_KEYTAB>, and then save.
  6. 单击“同步”以应用更改。
  7. After a successful sync, run the command kubectl -n uipath rollout restart deployment identity-service-api to restart the Identity Server.

步骤 3:浏览器配置


Microsoft Internet Explorer

不支持

Microsoft Edge

无需额外配置。

Google Chrome

通常来说,Google Chrome 无需额外配置即可工作。
如未运作,请按照以下说明进行操作。

  1. 转到“工具” > “Internet 选项” > “安全性”。
  2. 选择“本地 Intranet”。
  3. 单击“站点”。
  4. 确保选择了“自动检测 Intranet 网络”或所有选项。
  5. 单击“高级”。
  6. 将 Automation Suite FQDN 添加到“本地 Intranet”。
  7. 单击“关闭”和“确定”。
  8. 单击“自定义级别”。
  9. (可选)在“用户身份验证”下选择“仅在 Intranet 区域中自动登录”
    如果选中,则当浏览器收到重定向身份验证请求时,它会检查要求的来源。如果域或 IP 属于 Intranet,则浏览器会自动发送用户名和密码。如果不是,浏览器将打开用户名和密码输入对话框,您需要自行手动输入。
  10. (可选)在“用户身份验证”下选择“使用当前用户名和密码自动登录”。
    如果选中,则当浏览器收到重定向身份验证请求时,它会静默发送用户名和密码。如果身份验证成功,浏览器将继续执行原始操作。如果身份验证失败,浏览器将打开用户名和密码输入对话框,并重试直到验证成功。
  11. 确保在“Internet 选项” > “高级”选项卡下的“安全性”部分中选择了“启用集成 Windows 身份验证”。

Mozilla Firefox

  1. 打开浏览器配置窗口。
  2. 在地址栏中键入 about:config
  3. 指定使用 Kerberos 身份验证的 Automation Suite FQDN:
    a. Search for the term network.negotiate
    b. Enable and set the following for Kerberos: network.negotiate-auth.delegation-uris (example value: uipath-34i5ui35f.westeurope.cloudapp.azure.com), network.negotiate-auth.trusted-uris (example value: uipath-34i5ui35f.westeurope.cloudapp.azure.com), and network.negotiate-auth.allow-non-fqdn (value: true)。

步骤 4:允许组织的 Windows 身份验证


现在,Automation Suite 已与 Windows 身份验证集成,在 Automation Suite 中为其创建用户帐户的用户可以使用“登录”页面上的“Windows”选项登录 Automation Suite。

300300

如果想要允许使用 Windows 凭据登录,则每个组织管理员都必须为其组织执行此操作。

  1. 以组织管理员身份登录 Automation Suite
  2. 将组织级别的角色分配给 Active Directory 用户或组,您可以从搜索中选择该角色。
  3. 对要允许使用 Windows 身份验证登录的每个用户重复上述步骤。

然后,获赔角色的用户可以使用其 Active Directory 帐户登录 Automation Suite 组织。他们必须使用已加入域的计算机登录。

故障排除

如果您在尝试使用 Windows 凭据登录时收到 HTTP 500 错误,则需要检查以下内容:

a. Windows 计算机是否已加入域?
在计算机上,转到“控制面板”>“系统和安全性”>“系统”,然后检查是否显示了域。如果未显示任何域,请将计算机添加到域中。计算机必须加入域,才能通过 Kerberos 协议使用 Windows 身份验证。

B. 您能否使用相同的凭据登录 Windows 计算机?
如果不能,请向系统管理员寻求帮助。

c. 您是否在使用 Microsoft Edge 以外的浏览器?
Additional configuration is required for supported browsers other than Microsoft Edge.

d. 检查密钥表配置:

  • After generating the keytab, on the Active Directory server, the AD user's property (servicePrincpalName) should be of the form HTTP/<Service Fabric FQDN> - for example, HTTP/uipath-34i5ui35f.westeurope.cloudapp.azure.com

  • 必须为 AD 中的用户帐户选择“此帐户支持 Kerberos AES 256 位加密”选项。
    如果配置有误,您可以在 identity-service-api 日志中看到:

Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler An exception occurred while processing the authentication request.
GssApiException*GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Request ticket server HTTP/[email protected] kvno 4 enctype aes256-cts found in keytab but cannot decrypt ticket).* at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()

e.如果您在使用的域中配置了多个 Active Directory,则身份验证将失败,并且您将在 identity-service-api 日志中看到:

kinit: Client '[email protected]' not found in Kerberos database while getting initial credentials

在这种情况下,请确保将为身份验证创建的计算机帐户复制到所有 Active Directory。

f. If you run ktpass and assign a new password to the user account, the key version (kvno) increases and invalidates the old keytab. In the identity-service-api log, you can see:

Request ticket server HTTP/rpasf.EXAMPLE.COM kvno 4 not found in keytab; ticket is likely out of date

In this case, you need to update krb5KeytabSecret in ArgoCD.

g. If you see the following error in the identity-service-api pod:

GssApiException*GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Keytab FILE:/uipath/krb5/krb5.keytab is nonexistent or empty).

First check if you provided the global.userInputs.identity.krb5KeytabSecret parameter in ArgoCD.
If the parameter exists, verify if you can log into the Windows machine with the credentials of the AD user used to generate the keytab. Note that you must regenerate the keytab if the password was changed or expired.
Another possible cause of this issue is that ArgoCD was previously synced incorrectly. To fix the problem, remove the existing global.userInputs.identity.krb5KeytabSecret, sync ArgoCD, and once the operation is successful, update global.userInputs.identity.krb5KeytabSecret, and sync again.

h. Does the browser use the expected SPN?
If Kerberos event logging is enabled by following these instruction, you will see the KDC_ERR_S_PRINCIPAL_UNKNOWN error in the Kerberos event logs. For details on this issue, see Microsoft documentation.
To solve this issue, disable the CNAME lookup when negotiating Kerberos authentication by modifying the group policy. For details, see instructions for Google Chrome and for Microsoft Edge.

4 个月前更新


配置 Active Directory 集成


您可以使用 Windows 身份验证启用 SSO,并通过 Active Directory 集成启用目录搜索功能。
目录搜索可让您搜索目录帐户和组,并像使用本地帐户一样使用它们。

建议的编辑仅限用于 API 参考页面

您只能建议对 Markdown 正文内容进行编辑,而不能建议对 API 规范进行编辑。