web.config file (
C:\Program Files (x86)\UiPath\Orchestrator) contains multiple settings that enable you to configure Orchestrator to your liking. Most of the parameters that interest you can be found under
appSettings, but there might be some logging configurations that can be changed after install.
It is recommended that only administrators change the values of these parameters.
Additionally, it is recommended that you shut down the IIS site in order to modify
web.config settings under any circumstances.
Parameters that are not documented in this page should not be changed, or have counterparts in the Settings pages.
All parameters are case sensitive.
DeploymentUrl- The address of a web app that uses the NuGet protocol (NuGet, MyGet), so that you can store your packages. By default, this is empty as Orchestrator provides a default NuGet package manager. This value should be changed only if you install Orchestrator in a cluster. For this to work properly, you also have to configure the following parameters:
NuGet.Packages.Pathas described below. The default value is used in the initial seeding of the database.
MonitoringUrl- The URL where you set up the Monitoring service. By default, this value is blank as Orchestrator comes with its own monitoring endpoint. This value should be changed only if you install Orchestrator in a cluster. The default value is used in the initial seeding of the database.
NotificationHubUrl- The URL where the SignalR channel is located. By default, this value is blank as Orchestrator comes with its own notification endpoint. This value should be changed only if you install Orchestrator in a cluster. The default value is used in the initial seeding of the database.
LoggingUrl- The URL where you want to save logs. By default, this value is blank as Orchestrator comes with its own logging endpoint. This value should be changed only if you install Orchestrator in a cluster. The default value is used in the initial seeding of the database.
LoggingIndex- The ElasticSearch index. By default, it is set to
logflow. The default value is used in the initial seeding of the database.
QueuesSvcUrl- The URL address of the Queues service. By default, this value is blank as Orchestrator comes with its own queues endpoint. This value should be changed only if you install Orchestrator in a cluster. The default value is used in the initial seeding of the database.
EncryptionKeyPerTenant.Enabled- Enables you to use different encryption keys per tenant, based on a Microsoft Azure Key Vault account. The following values can be attributed:
false- Uses a single encryption key on the entire Orchestrator instance. This is the default value.
true- Uses a different encryption key for each tenant, enhancing your tenant security and providing a better segregation of sentive data. If you enable this feature, you must also fill in the
EncryptionKeyPerTenant.KeyProviderparameter, as well as the ones in the SecureAppSettings section.
EncryptionKeyPerTenant.KeyProvider- Enables you to indicate in which key management application to store the encryption keys generated per tenant from Orchestrator. Set it to
AzureKeyVaultto use a preconfigured Microsoft Azure Key Vault. We do not provide Azure Key Vault licenses. Please note that you also have to configure the parameters described in the SecureAppSettings section. If
EncryptionKeyPerTenant.Enabledis set to
false, the parameter is not used.
In order for changes concerning cron jobs to take effect, the
Database.EnableAutomaticMigrations parameter must be set to
autogenerateStatistics- Automatically generates transaction charts. By default, this parameter is set to
inProgressMaxNumberOfMinutes- The maximum amount of time queue items can have the In Progress status. After this time, the status of the queue items changes to Abandoned. By default, this is set to 1440 minutes (24 hours).
QueuesStatisticsScheduleCron- The amount of time at which to update queue items statistics in the Dashboard and Transactions page, and the Chart window. By default, they are updated every minute.
UpdateUncompletedItemsJobCron- The amount of time at which to look in the database for queues that need to be moved to Abandoned. By default, this parameter is set to every hour.
DailyAlertMailJobCron- If e-mail alerts are enabled, a report (with all Fatal and Error messages that were received during the previous day) is sent every day at 7 a.m.
Alerts.Email.Enabled- Enable or disable e-mail alerts for Fatal and Error messages. This parameter corresponds to the Enable Alerts Email check box from the Settings page. By default, it is set to
false. For it to work, you also have to configure the e-mail related settings, from the Settings page. The default value is used in the initial seeding of the database. Changing the value afterwards does not toggle email alerts.
NotificationDistributerJobCron- the frequency with which alert notifications are sent to the interface. Alerts are sent by default every 10 seconds.
PeriodicErrorMailJobCron- the frequency with which email alerts should be sent. The default value is every 10 minutes.
PasswordComplexity- Controls the validation rules for password complexity and is expressed using regular expressions. The complexity applies to all passwords (including the host admin one) by default but each tenant can customize their user login password complexity on the Security tab in the Settings page. By default, passwords must contain at least 8 characters and at least one letter and a digit.
SystemJobs.DetectNotRespondingRobots.MaxAlertCount- Enables you to limit the number of alerts that are sent when Robots become unresponsive. This parameter can be useful if your Orchestrator instance deals with a very large number of Robots and most of them become unresponsive often. Please note that it is not displayed in the configuration file by default. For example, if you want to limit the number of alerts you receive for unresponsive Robots to 10, add
<add key="SystemJobs.DetectNotRespondingRobots.MaxAlertCount" value="10" />in the
web.configfile, under all the other alerts parameters. If you apply this setting, please note that a warning is raised in the Event Viewer when the total number of alerts is higher than that of the ones configured, such as:
Alerts not published: total number of unresponsive sessions (21) is bigger than configured max allowed (10)..
SystemJobs.LicenseExpirationAlert.DaysBefore- Enables you to define the time intervals before the license expiry date when you receive email alerts. The default value is
180,90,30,14,7,1, meaning you receive email alerts 6 times: 180, 90, 30, 14, 7 and 1 day before your license expires. You can define fewer values in order to reduce the email alerts' frequency. For example, this can be done by adding the following key in the
<add key="SystemJobs.LicenseExpirationAlert.DaysBefore" value="90,30,14" />.
NuGet.Repository.Type- Specifies where NuGet packages are saved. It can be populated as follows:
Legacy- Uses FileSystem for package sync. This is the default value in update scenarios. Packages and activities are saved in the locations specified in the
NuGet.Activities.Pathparameters, respectively. Can be used with either
<add key="NuGet.Repository.Type" value="Legacy" />.
Composite- Package metadata is saved to the SQL database for faster search and filtering. Packages are saved to the location specified through the
<add key="NuGet.Repository.Type" value="Composite" />. This parameter with
FileSystemis the default in clean installs.
The use of copy-paste commands in the packages-dedicated folder is not supported if
NuGet.Repository.Type is set to
Storage.Type- Defines the target where packages in the Composite scenario, and execution media are to be saved. It can be populated with the following targets:
FileSystem- such as
<add key="Storage.Type" value="FileSystem" />.
Azure- such as
<add key="Storage.Type" value="Azure" />.
Amazon- such as
<add key="Storage.Type" value="Amazon" />.
Minio- such as
<add key="Storage.Type" value="Minio" />.
Storage.Location- Defines the actual location where packages in the Composite scenario, and execution media are to be saved. Particularities:
- FileSystem - provide an absolute path in the
RootPath=C:\FolderName\AnotherFolderNameformat, such as
<add key="Storage.Location" value="RootPath=C:\FolderName\AnotherFolderName" />. In the provided folder, three other sub-directiories are created:
Libraries. Files are saved according to their type in dedicated folders, at the specified location. By default, they are stored at the following path:
C:\Program Files (x86)\UiPath\Orchestrator\Storage\Orchestrator-tenantKey, where
Orchestrator-tenantKeyis the key of your tenant as found in the database. For example
C:\Program Files (x86)\UiPath\Orchestrator\Storage\Orchestrator-12ab1234-a567-456b-a12b-ab3456b123ab.
- Azure - provide a connection string, such as
<add key="Storage.Location" value="DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net" />.
- Amazon - provide a connection string, such as
<add key="Storage.Location" value="EndpointRegion=eu-west-3;accessKey=AKIAZGUEIGXUJ3BBI4MW;secretKey=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;useHttp=false" />.
- Minio - provide a connection string, such as
<add key="Storage.Location" value="host=localhost:9001;accessKey=YVKYFJ0ZY246KDKP0634;secretKey=bdBEk2ubhIFsTNPuQ80PjKL+oqZBj67HoSWBFnw1" />.
- FileSystem - provide an absolute path in the
<add key=\"NuGet.Repository.Type\" value=\"Composite\" /> <add key=\"Storage.Type\" value=\"Azure\" /> <add key=\"Storage.Location\" value=\"DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net\" />
The configuration above instructs Orchestrator:
- to store the package metadata in the SQL database;
- to keep the actual files in the Azure Blob storage at the location indicated by the
- to use the default naming convention for the Azure container name -
If you have more than 99 tenants in Orchestrator, increase your default AWS S3 bucket account limit to match the number of tenants. This is required because a separate bucket is created for each tenant.
NuGet.Packages.Path- The NuGet path to the packages folder in the Legacy scenario. By default, this is
~/NuGetPackages. This can be a virtual or physical path.
NuGet.Packages.ApiKey- The license key of your NuGet account. If the activities and packages are stored in the same NuGet feed, the value of this parameter has to be identical to the
NuGet.Activities.ApiKeyone. The default value is used in the initial seeding of the database. Please note that arbitrary strings are also accepted.
NuGet.Activities.Path- The NuGet path to the activities folder in the Legacy scenario. By default, this is
NuGet.Activities.ApiKey- The license key of your NuGet account. If the activities and packages are stored in the same NuGet feed, the value of this parameter has to be identical to the
NuGet.Packages.ApiKeyone. Please note that arbitrary strings are also accepted.
Package synchronization between multiple Orchestrator nodes and the interface can be done either by monitoring the file system or using Redis. This can be configured using the configuration below. The recommended way is through Redis.
NuGet.EnableFileSystemMonitoring- If set to
true, constant file system monitoring is used to reflect the updates and changes from the packages folder. If set to
false, the sync of cache files on all nodes (cluster environment) or the sync between the packages directory and the Orchestrator interface (single-node environment) is done every 60 minutes. By default, this parameter is set to
NuGet.EnableRedisNodeCoordination- If set to
true, then synchronization of the package cache between Orchestrator nodes is done using Redis, instead of File System Monitoring. The sync is triggered whenever a package is uploaded or removed from Orchestrator through the interface, API or Studio publishing functionality. Please note that if you manually copy and paste package files (
.nupkg) in the Orchestrator packages folder, the sync of cache files of all nodes is done every 60 minutes. If this setting is used, the Redis component is mandatory. Please note that if you use this parameter, you have to set
false. By default, this parameter is set to
Processes.AllowUpdateWithRunningJobs- Specifies whether you are able or not to update a process while having running or pending jobs associated with it. Note that this parameter is hidden by default. The following values are available:
true- Processes can be modified while having associated running or pending jobs. Concerning this, there are a couple of things to consider:
- Running jobs associated to a modified process use the initial version of the process. The updated version is used for newly created jobs or at the next trigger of the same job.
- Pending jobs associated to a modified process use the updated version.
false- Processes cannot be modified while having associated running or pending jobs. Trying to modify a process, in this case, displays the following error message: "Modifying this process is not possible at the moment, because there are active jobs associated with it. (#1666)". This is the default value.
For example, if you want to be able to update your processes while having any associated jobs running, add
<add key="Processes.AllowUpdateWithRunningJobs" value="true" />in the
Deployment.Libraries.AllowTenantPublish- Enables you to specify whether the tenants using the host feed are able or not to upload libraries into the feed. The following values are available:
true- Libraries uploaded at tenant level are propagated to the host feed. This is the default value.
false- Libraries uploaded at tenant level are not propagated to the host feed. However, note that users do have access to the existing libraries in the feed.
You can configure this from the user interface as well. The corresponding option, Allow Tenant Users to Upload into the Feed, can be found at host level, on the Settings page. Details here.
Google authentication only works if Orchestrator is set up on a top-level domain.
ExternalAuth.Google.Enabled- Enables or disables Google authentication. By default, this is set to
ExternalAuth.Google.ClientId- A Google API code required for Google authentication. This cannot work without the
ExternalAuth.Google.ClientSecret- A Google API code required for Google authentication. This cannot work without the
AcceptedRootUrls parameters have to be configured before you can import Active Directory groups.
WindowsAuth.Enabled- Enables or disables Windows Active Directory authentication. It is automatically set according to what you chose during the installation process. By default, it is set to
WindowsAuth.Domain- The Windows domain that the users from the Active Directory that you want to import are connected to.
WindowsAuth.AutoLogin.Enabled- Enables or disables Windows automatic login. The value of this parameter is set during the installation or upgrade process.
AcceptedRootUrls- Enables you to add a list of trusted URLs. If no value is attributed to this setting, then no one can access Orchestrator. If you want to add multiple URLs, do it without spaces and separate items through commas (
,), such as
Auth.Cookie.Expire- The amount of time after which you are automatically logged off, in minutes. By default, this is set to 30 minutes.
Auth.Bearer.Basic.Expire- The amount of time after which your bearer token expires. By default, it is set to 30 minutes.
Auth.Bearer.Robot.Expire- The amount of time after which the bearer token of your Robot expires. By default, it is set to 30 minutes.
Auth.Cookie.ValidateInterval- The amount of time (in seconds) until you are logged out after a password reset or after a new session is detected. By default, this is set to
60seconds. This parameter is not displayed by default in the
web.configfile. For example, if you want to set it to 20 seconds, add the following key in
<add key="Auth.Cookie.ValidateInterval" value="20"/>.
Auth.DisabledPermissions- Enables you to configure permissions to be disabled from the user interface and ignored when using API. Note that this parameter is hidden by default. The permissions need to be added as they are used in API, and they have to be separated by commas. For example, if you want to disable Delete permissions on Libraries and Machines you need to add the following key in
<add key="Auth.DisabledPermissions" value="Machines.Delete,Libraries.Delete" />.
Auth.RememberMe.Enabled- Enables you to configure whether the Remember Me check box on the Login page is displayed or not. By default, the parameter is set to
true, meaning the check box is displayed. Set it to
falseto hide it. This setting is not displayed by default in the
Tenant.Registration.Enabled- Enables the creation of tenants, from the Login page, so that data can be isolated according to teams. By default, this is set to
false. The default value is used in the initial seeding of the database. Changing the value afterwards does not toggle the tenant creation options.
These settings should only be modified if you are using a load balancer.
LoadBalancer.UseSqlServer- Use the default SQL database to distribute messages to and from all the machines connected through your load balancer. By default, it is set to
LoadBalancer.UseRedis- Use Redis as a database to distribute messages and cache to and from all the machines connected through your load balancer. By default, it is set to
LoadBalancer.Redis.ConnectionString- Can only be used if
LoadBalancer.UseRedisis set to
true. A connection string that enables you to set up your Redis server, which contains the URL of the server, the password, and port used with Redis. It is also possible to enable SSL encrypted connections between the Orchestrator nodes and the Redis service. For more information, please click here. Examples:
- with SSL enabled -
<add key="LoadBalancer.Redis.ConnectionString" value="DOCWREDIS02:6379,password=12345678,ssl=true" />
- without SSL enabled -
<add key="LoadBalancer.Redis.ConnectionString" value="DOCWREDIS02:6379,password=12345678" />
- with SSL enabled -
Vault.Type- Enables you to select where Robot credentials are stored. The following options are available:
default- Robot credentials are stored in the Orchestrator database.
CyberArk- Robot credentials are stored in CyberArk’s Security vault, provided you correctly filled in the
Vault.CyberArk.AppId- The application id, as it is in the CyberArk® Enterprise Password Vault®.
Vault.CyberArk.Safe- The safe name, as it is in CyberArk® Enterprise Password Vault®.
Vault.CyberArk.Folder- The location in which your credentials are stored in CyberArk® Enterprise Password Vault®, such as
OrganizationUnit.Enabled- When set to
true, it enables you to add an additional level of data separation, through organization units. By default, it is set to
false. Keep in mind that this functionality is considered experimental.
HelpUrl- Enables you to point the Help button in Orchestrator to any version of the Orchestrator user guide, such as
https://orchestrator.uipath.com/v2018.1/. If you set the value to
https://orchestrator.uipath.com/, the last released version of the user guide is accessible.
Database.EnableAutomaticMigrations- Handles the initialization of the database and quartz setup system jobs for both installations and upgrades:
- If set to
false, the database and quartz setup system jobs are installed or upgraded from the Windows installer. This is the default value. For example, you can use this configuration set to
falsewhen updating your Orchestrator instance.
- If set to
true, the database and quartz setup system jobs are installed or upgraded when you start or restart the Orchestrator web application. For example, you can set this setting to
trueif you need to make a change to the
web.configfile and propagate it to the database.
- If set to
ExternalAuth.AzureAD.Enabled- When set to
true, it enables you to use the Azure Active Directory for authentication. By default, it is set to
ExternalAuth.AzureAD.ApplicationId- The ApplicationId associated with the registered Orchestrator in an Azure Active Directory.
ExternalAuth.AzureAD.RedirectUri- The Orchestrator web app URL that should also be used when registering the Orchestrator in Azure Active Directory, such as https://platform.uipath.com.
It is not recommended to use Microsoft Azure AD and Windows AD on the same Orchestrator instance.
ExternalAuth.Saml2.Enabled- When set to
true, it enables you to authenticate using SAML 2.0. By default, it is set to
Logs.RequestAbortedLogBehavior- Specifies the logging behavior for cancellation exceptions which are thrown upon cancellation of an operation that was executing. These are generated, for example, when you click a button and before the operation is executed, you click a different one. Note that this parameter is hidden by default. The following values are available:
Ignore- All cancellation exceptions are ignored if the corresponding requests were aborted. This is the default value.
Info- Cancellation exceptions are logged with Info severity level.
None- Cancellation exceptions are logged with Error severity level.
For example, if you don't want any cancellation exceptions to be logged, add
<add key="Logs.RequestAbortedLogBehavior" value="Ignore" /> in the
Webhooks.Enabled- By default, it is set to
true. This setting enables you to enable or disable the webhooks feature. If set to
<add key="Webhooks.Enabled" value="false" />, the feature is disabled.
Webhooks.Quotas.MaxCountPerTenant- This setting is not displayed by default in the
web.configfile. The maximum number of webhooks that can be enabled per tenant. By default, they are set to 100. To change the max count to 150 you can, for example, add the following:
<add key="Webhooks.Quotas.MaxCountPerTenant" value="150" />.
Webhooks.Requests.Timeout- This setting is not displayed by default in the
web.configfile. The amount of time after which each HTTP request is canceled. Please note that each request that times out is retried, according to the
Webhooks.Requests.RetryAfterparameter. By default, the timeout time is set to 15 seconds.
Webhooks.Requests.RetryAfter- This setting is not displayed by default in the
web.configfile. The amount of time, in seconds, after each failed request is retried. It is populated as a comma-separated list of integers, and is, by default set to
0, 15, 60, meaning that there are a maximum of 3 retries as follows:
- the first request retry is executed immediately after the first attempt failed;
- the second retry is executed 15 seconds after the first retry failed;
- the third retry is executed 60 seconds after the second one fails.
It is possible to change the number of delays. For example, if you write
<add key="Webhooks.Requests.RetryAfter" value="0,10" />, you have only two retries, the first being immediate, while the second after 10 seconds. We recommend that you always set the first retry to 0, and never set time amounts greater than 300 seconds (5 minutes).
Webhooks.Quotas.MaxPayloadSize- This setting is not displayed by default in the
web.configfile. It represents the maximum number of bytes a JSON payload (UTF-8) can have,
1048576being the default value. Any webhook event whose payload size is greater than the limit is dropped.
Webhooks.Quotas.MaxParallelRequests- The maximum number of webhooks a single CPU core should handle. By default, it is set to 100 per CPU core. This setting is not displayed by default in the
Scalability.Heartbeat.PeriodSeconds- The time interval, expressed in seconds, at which the Robot sends a heartbeat to Orchestrator, letting the latter know its status. By default, it is set to
Scalability.Heartbeat.FailureThreshold- The number of successively failed heartbeats send by a Robot until it is marked as unresponsive in Orchestrator. By default, it is set to
4, meaning that after 2 minutes of failed heartbeats (4 x 30 seconds = 2 minutes) a Robot is flagged as unresponsive.
Scalability.SignalR.Enabled- Specifies if the Robot service should subscribe to Orchestrator's SignalR channels. By default, it is set to
Scalability.SignalR.Transport- Specifies the transport protocol used to connect to Orchestrator's SignalR channels. The following values can be attributed (any combination - bitwise OR):
- WebSocketTransport = 1
- ServerSentEventsTransport = 2
- LongPollingTransport = 4
- Default value: 7 (WebSocketTransport | ServerSentEventsTransport | LongPollingTransport)
Scalability.SignalR.AuthenticationEnabled- If set to
true, enables the Robot SignalR authentication method, a method that ensures a secure communication between Orchestrator and Robot. This feature is disabled by default - set to
false. Please note that if you enable this feature, you cannot execute jobs on Robots with a version lower than 2018.4.3.
Telemetry.Enabled- Enables or disables the usage and performance data collection that UiPath uses to help diagnose problems and help improve Orchestrator. For more details about UiPath’s privacy practices, please review the privacy statement. The following values are available:
true- The telemetry feature is enabled. This is the default value.
false- The telemetry feature is disabled.
It is also possible to opt in or out of the performance and usage data collection when you install or update your Orchestrator instance, as described here.
MediaRecording.Enabled- Set it to
trueto enable the recording feature. By default, it is set to
false, meaning the feature is disabled. File storage is impacted by the
NuGet.Repository.Typeparameter, and configured using the
NuGet.Repository.Typeis set to
EncryptionKey- The encryption key used to secure passwords from credential assets. If you are using an environment with a network load balancer, this key should be the same for all machines.
The following parameters enable you to set up your Azure Key Vault, where you can store your tenant-based encryption keys. Please note that these parameters can be used only if
EncryptionKeyPerTenant.Enabled is set to
EncryptionKeyPerTenant.KeyProvider set to
AzureKeyVault. Additionally, ensure that you provide all key, secret, and certificate permissions to your Orchestrator instance, in the Access policies of your Azure Key Vault. For the full procedure, please see this page.
Azure.KeyVault.ClientId- The application ID of your Orchestrator instance. This can be found in Azure in App Registrations and should have the
ae11aa1a-1234-1234-a123-a12a12aaa1aaformat. This setting is not displayed by default in the
<add key="Azure.KeyVault.ClientId" value="ae11aa1a-1234-1234-a123-a12a12aaa1aa" />.
Azure.KeyVault.CertificateThumbprint- The thumbprint generated by Azure for the Orchestrator certificate. You can find this value in Azure in App Services > Your instance > SSL Settings > Private Certificates (or Public Certificates). This setting is not displayed by default in the
<add key="Azure.KeyVault.CertificateThumbprint" value="1234123412341234123412341234124312341234" />.
Azure.KeyVault.VaultAddress- The DNS name of your Azure Key Vault. This can be found in the Overview of your vault, in the DNS Name field, and should have the
https://CustomVaultName.vault.azure.net/format. This setting is not displayed by default in the
<add key="Azure.KeyVault.VaultAddress" value="https://CustomVaultName.vault.azure.net/" />.
NotRespondingRobotsJobStartDelay- Enables you to set a delay, in seconds, of the first check performed on your Robots' status after an upgrade. This parameter is not displayed by default in
Upload.Queues.MaxNumberOfItems- Enables you to lower the maximum number of items which can be uploaded at once using the bulk upload functionality. The default value is
15000. Please note that this parameter is not displayed by default in
The element below enables the compression of dynamic content, respectively large downloadable
.csv reports, in Orchestrator. By default, this feature is enabled - set to
true. To disable it change the value of the
enabled attribute to
<httpCompression> <dynamicTypes> <remove mimeType="text/csv" /> <add mimeType="text/csv" enabled="true" /> </dynamicTypes> </httpCompression>