These instructions only apply if you have a standalone installation of Orchestrator. If you are using Orchestrator in Automation Suite, follow the Automation Suite instructions instead.
To integrate with Windows Active Directory and use Windows Authentication, you must open the LDAP port 389 on the Primary Domain Controller.
If you already enabled Windows authentication during installation, as described here, then you can skip this step.
- Open IIS (Internet Information Services Manager).
- In the Connections section, navigate to the UiPath Orchestrator site. The Features View panel is updated accordingly.
- Double-click Authentication. The Features View section is updated accordingly.
- Select the Windows Authentication option and, in the Actions section, click Enable. Windows authentication is now enabled for the UiPath Orchestrator site.
- Make sure that the ASP.NET Impersonation option is Disabled.
- In the Connections panel, navigate to the Orchestrator Server Node. The Features View is updated accordingly.
- In the Management section, double-click Configuration Editor. The Features View is updated accordingly.
- In the Section drop-down list, navigate to
system.webServer/httpErrors. The Features View is updated accordingly.
- In the Actions panel, click Unlock Section. If the section is not locked, skip this step.
- Select the
defaultPathattribute and click Unlock Attribute in the Actions panel.
- Close IIS.
By default, in Orchestrator, the NTLM authentication protocol is used when logging in with Active Directory credentials.
To switch to Kerberos, you must switch the application pool to NetworkService and register the Service Principal Name (SPN) which exists in the Active Directory for the domain account used to run the service with which the client is authenticating.
To switch to Kerberos authentication:
- Open the Command Prompt.
- Change the directory to
C:\Windows\System32, by using the
- Give the
setspn.exe -a https://<machine> <domain account>command, where:
https://<machine>- represents the URL at which your Orchestrator instance is reachable, such as
<domain account>- represents the name or domain\name of the machine on which Orchestrator is installed, or the user account, such as
To check that Kerberos is used:
- Log in to Orchestrator using AD credentials.
- Open Event Viewer.
- Look for the Microsoft Windows security audit and select it. Details about the action are updated on the General tab.
- Under the Detailed Authentication Information section, the Logon Process should be Kerberos:
- Log in to the Management portal as a system administrator.
- Go to Users and select the Authentication Settings tab.
- In the External Providers section, click Configure under Active Directory:
The Configure Active Directory panel opens at the right of the screen.
- Select the Enabled checkbox.
- If you want to only allow users to log in using their Windows credentials, select the Force automatic login using this provider checkbox.
If selected, users can no longer log in using their Orchestrator username and password; they must use their Windows credentials, with a domain-qualified username.
- Keep the Use Kerberos Auth checkbox selected.
- Optionally edit the value in the Display Name field to customize the label for the Windows authentication button that is displayed on the Login page.
- Restart the IIS site. This is required whenever you make changes to External Providers.
Updated 15 days ago