- Overview
- Requirements
- Installation
- Post-installation
- Cluster administration
- Monitoring and alerting
- Migration and upgrade
- Product-specific configuration
- Best practices and maintenance
- Troubleshooting
- How to Troubleshoot Services During Installation
- How to Uninstall the Cluster
- How to clean up offline artifacts to improve disk space
- How to disable TLS 1.0 and 1.1
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to debug failed Automation Suite installations
- How to disable TX checksum offloading
- Unable to run an offline installation on RHEL 8.4 OS
- Error in Downloading the Bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- SQL connection string validation error
- Failure After Certificate Update
- Automation Suite Requires Backlog_wait_time to Be Set 1
- Cannot Log in After Migration
- Setting a timeout interval for the management portals
- Update the underlying directory connections
- Kinit: Cannot Find KDC for Realm <AD Domain> While Getting Initial Credentials
- Kinit: Keytab Contains No Suitable Keys for *** While Getting Initial Credentials
- GSSAPI Operation Failed With Error: An Invalid Status Code Was Supplied (Client's Credentials Have Been Revoked).
- Login Failed for User <ADDOMAIN><aduser>. Reason: The Account Is Disabled.
- Alarm Received for Failed Kerberos-tgt-update Job
- SSPI Provider: Server Not Found in Kerberos Database
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis Probe Failure
- RKE2 Server Fails to Start
- Secret Not Found in UiPath Namespace
- ArgoCD goes into progressing state after first installation
- Unexpected Inconsistency; Run Fsck Manually
- Missing Self-heal-operator and Sf-k8-utils Repo
- Degraded MongoDB or Business Applications After Cluster Restore
- Unhealthy Services After Cluster Restore or Rollback
- Using the Automation Suite Diagnostics Tool
- Using the Automation Suite support bundle
- Exploring Logs
Setting up Kerberos authentication
To successfully set up Kerberos authentication, you must meet the following prerequisites:
Before you can configure Kerberos authentication, work with your IT administrators to ensure the Automation Suite cluster can access your AD.
The following requirements must be met:
- Automation Suite cluster must be on the same network as the AD domain;
-
DNS must be set up correctly on the network so that the Automation Suite cluster can resolve the AD domain names.
Note: It is critical that the Automation Suite cluster can resolve the ADdomain names
. You can verify this by runningnslookup <AD domain name>
on the host machine.
Generating Kerberos default keytab and username parameters
Option 1: by Running the script (recommended)
- Log in with your AD administrator account on a Windows domain-joined machine.
- Run the keytab-creator.ps1 script as administrator.
- Input the following values to the script:
Service Fabric FQDN
. For example,uipath-34i5ui35f.westeurope.cloudapp.azure.com
.AD domain FQDN
. For example,TESTDOMAIN.LOCAL
.- An AD user account. You can use an existing account, such as
sAMAccountName
, or you can allow the script to create a new one.
<KERB_DEFAULT_USERNAME>
and <KERB_DEFAULT_KEYTAB>
parameters required by the Kerberos setup.
Option 2: Manually
<KERB_DEFAULT_USERNAME>
and <KERB_DEFAULT_KEYTAB>
for that account as follows:
To configure the UiPath cluster to connect to SQL using Windows integrated authentication/Kerberos, you need to perform a few additional steps:
- the SQL server must join the AD domain;
- the Automation Suite cluster must be on the same network as the SQL Server;
- the Automation Suite cluster can resolve the AD and SQL servers` domain names;
- the AD user must have access to SQL server and DB permissions.
To create a new login in SQL Server Management Studio, take the following steps:
-
In the Object Explorer panel, navigate to Security > Logins.
-
Right-click the Logins folder and select New Login. The Login - New window is displayed.
-
Select the Windows Authentication option. The window is updated accordingly.
-
In the Login name field, type the user domain you want to use as a service account.
-
From the Default Language list, select English.Important: Ensure that the Default Language is set to English. If it isn't, the website cannot start, and the Event Viewer on the computer on which Orchestrator is installed displays the following error message: “The conversion of a varchar data type to a datetime data type resulted in an out of range value”.
-
Click OK. Your configurations are saved.
If the service account has already been created and added to the Security > Logins section of the SQL Server, please check whether the Default Language of that SQL account is set to English. If it isn't, please make the necessary adjustments.
db_owner
user mapping role, as in the following screenshot.
db_owner
user mapping role with the UiPath login, grant the following permissions:
db_datareader
db_datawriter
db_ddladmin
-
EXECUTE
permission ondbo
schema
EXECUTE
permission has to be granted by using the GRANT EXECUTE
SQL command, as follows:
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\)\)user]
GO
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\)\)user]
GO
Integrated Security=True
, you need to create a unique keytab for each UiPath application, as follows. This will be referred to as <KERB_APP_KEYTAB>
for that application.
Generating Kerberos application keytab and username parameters
Option 1: by Running the Script (recommended)
-
Run the service-keytab-creator.ps1 script.
-
Input the following values to the script:
-
AD domain FQDN
. For example,TESTDOMAIN.LOCAL
. -
The username and password of an AD user account. For example, the AD user account
sAMAccountName
and its password.
-
<KERB_APP_USERNAME>
and <KERB_APP_KEYTAB>
parameters required by Kerberos.
Option 2: Manually
Run the following script manually:
# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
<AD username>
will be the <KERB_APP_USERNAME>
corresponding to the <KERB_APP_KEYTAB>
.
This section explains how you can configure Automation Suite as a Kerberos client for LDAP or SQL access.
<KERB_DEFAULT_KEYTAB>
, configure Automation Suite as a Kerberos client in one of the following ways:
- Configuring Kerberos authentication via the interactive installer
- Configuring Kerberos authentication via cluster_config.json
-
Note: If you want to set up different services to run under their own AD account, and access SQL as that AD account, you can specify
ad_username
with that<KERB_APP_USERNAME>
, anduser_keytab
as<KERB_APP_KEYTAB>
under the configuration section of the service.
- In the
cluster_config.json
file, set thekerberos_auth_config.enabled
parameter totrue
. - If you want to use Kerberos for SQL access, configure the
sql_connection_string_template
,sql_connection_string_template_jdbc
, andsql_connection_string_template_odbc
with the Integrated Security flag. - If you want to set up a different AD user per service, take the following steps:
- After updating the
cluster_config.json
, run the installer script to update the configuration. For details, see Managing products.
Sample of updating Orchestrator and the platform to use Kerberos authentication
"kerberos_auth_config": {
"enabled" : true,
"ticket_lifetime_in_hour" : 8,
"ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN ",
"default_ad_username": "PLACEHOLDER - INSERT KERB_DEFAULT_USERNAME",
"default_user_keytab": "PLACEHOLDER - INSERT KERB_DEFAULT_KEYTAB"
},
"sql_connection_string_template": "PLACEHOLDER",
"sql_connection_string_template_jdbc": "PLACEHOLDER",
"sql_connection_string_template_odbc": "PLACEHOLDER",
"orchestrator": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for Orchestrator",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for Orchestrator"
}
"testautomation": {
"enabled": true
},
"updateserver": {
"enabled": true
}
},
"platform": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for platform",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for platform"
}
}
"kerberos_auth_config": {
"enabled" : true,
"ticket_lifetime_in_hour" : 8,
"ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN ",
"default_ad_username": "PLACEHOLDER - INSERT KERB_DEFAULT_USERNAME",
"default_user_keytab": "PLACEHOLDER - INSERT KERB_DEFAULT_KEYTAB"
},
"sql_connection_string_template": "PLACEHOLDER",
"sql_connection_string_template_jdbc": "PLACEHOLDER",
"sql_connection_string_template_odbc": "PLACEHOLDER",
"orchestrator": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for Orchestrator",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for Orchestrator"
}
"testautomation": {
"enabled": true
},
"updateserver": {
"enabled": true
}
},
"platform": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for platform",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for platform"
}
}
Service groups and services
cluster_config.json
file, or in the ArgoCD UI.
Service group name for
cluster_config.json |
Service group name for ArgoCD |
Included services |
---|---|---|
|
|
Orchestrator, Webhooks |
|
|
Identity, License Accountant (LA), Audit, Location, License Resource Manager (LRM), Organization Management Service (OMS) |
|
|
Automation Hub, Task Mining |
|
|
Test Manager |
|
|
Automation Ops |
|
|
AI Center |
|
|
Document Understanding |
|
|
Insights |
To update Kerberos authentication via the CLI tool, see Updating Kerberos authentication.
For Kerberos authentication to be used when logging in to Automation Suite, you must further configure Automation Suite host settings.
To remove Kerberos authentication completely, take the following steps:
- If you used Kerberos to configure AD integration, reconfigure AD with the username and password option by following the instructions in Configuring the Active Directory integration.
- If you used SQL integrated authentication, configure the SQL connection strings to use User Id and Password.
- Disable Kerberos authentication as follows:
- Go to the ArgoCD UI, find the uipath application, click the APP DETAILS button in the top-left corner, and then navigate to the PARAMETERS tab.
- Click EDIT, and set
global.kerberosAuthConfig.enabled
tofalse
.
To remove SQL integrated authentication, take the following steps:
- Configure the SQL connection strings to use User Id and Password.
- If want to disable SQL integrated authentication for all the services, set
global.kerberosAuthConfig.enabled
tofalse
in ArgoCD after changing all of the connection strings
If you encounter any issues while configuring Kerberos, see Authentication troubleshooting.
- Prerequisites
- Ensuring the Automation Suite cluster can access your AD
- Configuring the AD service account for Kerberos authentication
- Optional: SQL Integrated Authentication Prerequisites
- Configuring Automation Suite as a Kerberos client
- Configuring Kerberos Authentication Via the Interactive Installer
- Configuring Kerberos Authentication Via Cluster_config.json
- Updating Kerberos authentication via CLI tool
- Configuring the Active Directory integration
- Disabling Kerberos authentication
- Removing Kerberos authentication completely
- Removing SQL integrated authentication
- Kerberos Troubleshooting