Subscribe

UiPath Orchestrator

The UiPath Orchestrator Guide

Configuring SSO: Active Directory

You can enable SSO using Windows authentication and enable the directory search functionality with the Active Directory integration. Directory search lets you search for directory accounts and groups from Orchestrator and work with them as you would with local accounts.

standalonestandalone These instructions only apply if you have a standalone installation of Orchestrator. If you are using Orchestrator in Automation Suite, follow the Automation Suite instructions instead.

Step 1. Configure IIS to enable Windows authentication


If you already enabled Windows authentication during installation, as described here, then you can skip this step.

  1. Open IIS (Internet Information Services Manager).
  2. In the Connections section, navigate to the UiPath Orchestrator site. The Features View panel is updated accordingly.
  3. Double-click Authentication. The Features View section is updated accordingly.
  1. Select the Windows Authentication option and, in the Actions section, click Enable. Windows authentication is now enabled for the UiPath Orchestrator site.
  2. Make sure that the ASP.NET Impersonation option is Disabled.
  3. In the Connections panel, navigate to the Orchestrator Server Node. The Features View is updated accordingly.
  4. In the Management section, double-click Configuration Editor. The Features View is updated accordingly.
  5. In the Section drop-down list, navigate to system.webServer/httpErrors. The Features View is updated accordingly.
  1. In the Actions panel, click Unlock Section. If the section is not locked, skip this step.
  2. Select the defaultPath attribute and click Unlock Attribute in the Actions panel.
  3. Close IIS.

Step 2. Switch from NTLM to Kerberos authentication


By default, in Orchestrator, the [NTLM authentication protocol][https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff647076(v=pandp.10)#ntlm-authentication] is used when logging in with Active Directory credentials.
To switch to [Kerberos][https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff647076(v=pandp.10)#kerberos-authentication], you must switch the application pool to NetworkService and register the Service Principal Name (SPN) which exists in the Active Directory for the domain account used to run the service with which the client is authenticating.

To switch to Kerberos authentication:

  1. Open the Command Prompt.
  2. Change the directory to C:\Windows\System32, by using the cd C:\Windows\System32 command.
  3. Give the setspn.exe -a https://<machine> <domain account> command, where:
    • https://<machine> - represents the URL at which your Orchestrator instance is reachable, such as https://DocOrch.uipath.local;
    • <domain account> - represents the name or domain\name of the machine on which Orchestrator is installed, or the user account, such as docteam or uipath.local\docteam.

To check that Kerberos is used:

  1. Log in to Orchestrator using AD credentials.
  2. Open Event Viewer.
  3. Look for the Microsoft Windows security audit and select it. Details about the action are updated on the General tab.
  4. Under the Detailed Authentication Information section, the Logon Process should be Kerberos:

Step 3. Configure Orchestrator


  1. Log in to the Management portal as a system administrator.
  2. Go to Users and select the Authentication Settings tab.
  3. In the External Providers section, click Configure under Active Directory:

The Configure Active Directory panel opens at the right of the screen.

  1. Select the Enabled checkbox.
  2. If you want to only allow users to log in using their Windows credentials, select the Force automatic login using this provider checkbox.
    If selected, users can no longer log in using their Orchestrator username and password; they must use their Windows credentials, with a domain-qualified username.
  3. Keep the Use Kerberos Auth checkbox selected.
  4. Optionally edit the value in the Display Name field to customize the label for the Windows authentication button that is displayed on the Login page.
  5. Restart the IIS site. This is required whenever you make changes to External Providers.

Updated 11 days ago


Configuring SSO: Active Directory


You can enable SSO using Windows authentication and enable the directory search functionality with the Active Directory integration. Directory search lets you search for directory accounts and groups from Orchestrator and work with them as you would with local accounts.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.