- Getting Started
- Requirements
- Best Practices
- Installation
- Updating
- Identity Server
- High Availability Add-on
Orchestrator Installation Guide
UiPath.Orchestrator.dll.config
UiPath.Orchestrator.dll.config
file (C:\Program Files (x86)\UiPath\Orchestrator
) defines the parameters, settings, and preferences applied to your Orchestrator deployment.
-
Any changes to the parameters in this file are overwritten upon upgrade.
-
Only administrators should change the values of these parameters.
-
It is recommended to manually restart the website after making changes to
UiPath.Orchestrator.dll.config
. -
Parameters that are not documented on this page should not be changed or have counterparts in the Settings pages.
-
All parameters are case sensitive.
EncryptionKeyPerTenant.Enabled
Enables you to use different encryption keys per tenant, based on a Microsoft Azure Key Vault account. The following values can be attributed:
false
- Uses a single encryption key on the entire Orchestrator instance. This is the default value.true
- Uses a different encryption key for each tenant, enhancing your tenant security and providing better segregation of sensitive data.
EncryptionKeyPerTenant.KeyProvider
parameter, as well as the ones in the SecureAppSettings section.
EncryptionKeyPerTenant.KeyProvider
AzureKeyVault
to use a preconfigured Microsoft Azure Key Vault. We do not provide Azure Key Vault licenses. Please note that you also have to configure the parameters described in the SecureAppSettings section. If EncryptionKeyPerTenant.Enabled
is set to false
, this parameter is not used.
Changes made to the encryption settings here need to be mirrored in the Identity Server appsettings.Production.json file, according to the following field equivalence:
Orchestrator UiPath.Orchestrator.dll.config |
Identity Server appsettings.Production.json |
---|---|
EncryptionKeyPerTenant.Enabled |
EncryptionKeyPerTenant |
Azure.KeyVault.VaultAddress |
AzureKeyVaultAddress |
Azure.KeyVault.CertificateThumbprint |
AzureKeyVaultCertificateThumbprint |
Azure.KeyVault.ClientId |
AzureKeyVaultClientId |
EncryptionKeyPerTenant.KeyProvider |
MultiTenantEncryptionKeyProvider |
Database.EnableAutomaticMigrations
parameter must be set to true
beforehand.
autogenerateStatistics
true
.
inProgressMaxNumberOfMinutes
The maximum amount of time queue items can have the In Progress status. After this time, the status of the queue items changes to Abandoned. By default, this is set to 1440 minutes (24 hours).
QueuesStatisticsScheduleCron
The frequency of updating queue items statistics in the Dashboard and Transactions page, and the Chart window. By default, they are updated every minute.
UpdateUncompletedItemsJobCron
The frequency of searching the database for queues that need to be moved to Abandoned. By default, this parameter is set to every hour.
Queue.MaxSlaInMinutes
UiPath.Orchestrator.dll.config
, including in update scenarios.
Queue.MaxSchemaFileSizeInKilobytes
UiPath.Orchestrator.dll.config
file.
Queue.SlaReadaheadTimeLimitHours
UiPath.Orchestrator.dll.config
.
Queue.MaxSpecificDataSizeInKiloBytes
The maximum size of Specific Data content for new queue items, in kilobytes. For clean Orchestrator installations, this parameter is hidden and has a default value of 1024 (1MB). In upgrade scenarios, this parameter is visible and has a value of 204800 (200MB).
Queue.ProcessActivationSchedule
The amount of time between checks for unprocessed queue items. By default, it is set to 30 minutes. To adjust the check interval, specify a value between 0 and 59, restart the IIS, then delete the existing queue trigger and recreate it.
DailyAlertMailJobCron
Enables you to configure a cron expression that controls when daily email alerts are sent. This only works if email alerts are enabled. The report contains all the Fatal and Error severity alerts generated the previous day. By default, it is sent every day at 7 a.m.
Alerts.Email.Enabled
false
. For it to work, you also have to configure the email related settings from the Settings page. The default value is used in the initial seeding of the database. Changing the value afterward does not toggle email
alerts.
NotificationDistributerJobCron
The frequency with which alert notifications are sent to the interface. By default, alerts are sent every 10 seconds.
PeriodicErrorMailJobCron
Enables you to configure a cron expression that controls the frequency with which periodic email alerts are sent. This only works if email alerts are enabled. The default value is every 10 minutes, meaning the report contains Fatal and Error severity alerts generated in the past 10 minutes. If no alerts have been generated, no report is sent.
PasswordComplexity
Controls the validation rules for password complexity and is expressed using regular expressions. The complexity applies to all passwords (including the host admin one) by default. Still, each tenant can customize their user login password complexity on the Security tab in the Settings page. By default, passwords must contain at least 8 characters and at least one letter and a digit.
SystemJobs.DetectNotRespondingRobots.MaxAlertCount
<add key="SystemJobs.DetectNotRespondingRobots.MaxAlertCount" value="10" />
in the UiPath.Orchestrator.dll.config
file, under all the other alerts parameters. If you apply this setting, please note that a warning is raised in the Event
Viewer when the total number of alerts is higher than that of the one configured, such as: Alerts not published: total number of unresponsive sessions (21) is bigger than the configured max allowed (10).
.
SystemJobs.LicenseExpirationAlert.DaysBefore
180,90,30,14,7,1
, meaning you receive email alerts 6 times: 180, 90, 30, 14, 7, and 1 day before your license expires. You can define fewer
values to reduce the email alerts' frequency. For example, this can be done by adding the following key in the UiPath.Orchestrator.dll.config
file: <add key="SystemJobs.LicenseExpirationAlert.DaysBefore" value="90,30,14" />
.
Storage.Type
and Storage.Location
parameters.
Storage.Type
Defines the target where packages and execution media are saved. It can be populated with the following targets:
FileSystem
-<add key="Storage.Type" value="FileSystem" />
.Azure
-<add key="Storage.Type" value="Azure" />
.Amazon
-<add key="Storage.Type" value="Amazon" />
.Minio
-<add key="Storage.Type" value="Minio" />
.
Storage.Location
Defines the actual location where packages and execution media are saved.
Storage.Location
parameter is mandatory when:
- upgrading from any pre-2020.10 version of Orchestrator, and
- the previous
NuGet.Repository.Type
wasLegacy
, and - the previous
NuGet.Packages.Path
did not use the default value.
Target |
Location |
---|---|
FileSystem |
Provide an absolute path using the following format:
RootPath=C:\FolderName\AnotherFolderName .
Example:
<add key="Storage.Location" value="RootPath=C:\FolderName\AnotherFolderName" /> .
In the provided folder, the following folder structure gets created: Orchestrator-Host\Libraries - One folder dedicated to the libraries stored in the host feed.
Orchestrator-[tenantKey] -One folder for each tenant. The tenant is identified by the tenant key as found in the database. For example Orchestrator-12ab1234-a567-456b-a12b-ab3456b123ab .
For each tenant folder, three other sub-directories are created:
Files are saved in the dedicated folders at the specified location. By default, they are stored at the following path:
C:\Program Files (x86)\UiPath\Orchestrator\Storage .
|
Azure |
Provide a connection string. Example:
<add key="Storage.Location" value="DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net"
/> .
|
Amazon |
Provide a connection string. Example:
<add key="Storage.Location" value="EndpointRegion=eu-west-3;accessKey=AKIAZGUEIGXUJ3BBI4MW;secretKey=W/LOzDbI1qumvcwYs8iUf4pRwW6ltKos/paTLVYM;useHttp=false"
/> .
|
Minio |
Provide a connection string. Example:
<add key="Storage.Location" value="host=localhost:9001;accessKey=YVKYFJ0ZY246KDKP0634;secretKey=bdBEk2ubhIFsTNPuQ80PjKL+oqZBj67HoSWBFnw1"
/> .
|
Example
<add key=\"Storage.Type\" value=\"Azure\" />
<add key=\"Storage.Location\" value=\"DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net\" />
<add key=\"Storage.Type\" value=\"Azure\" />
<add key=\"Storage.Location\" value=\"DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net\" />
The configuration above instructs Orchestrator:
- to store the package metadata in the SQL database;
- to keep the actual files in the Azure Blob storage at the location indicated by the
DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net
connection string; - to use the default naming convention for the Azure container name -
Orchestrator-tenantKey
.Important: If you have more than 99 tenants in Orchestrator, increase your default AWS S3 bucket account limit to match the number of tenants. This is required because a separate bucket is created for each tenant.
NuGet.Packages.ApiKey
NuGet.Activities.ApiKey
one. The default value is used in the initial seeding of the database. Please note that arbitrary strings are also accepted.
NuGet.Activities.ApiKey
NuGet.Packages.ApiKey
one. Please note that arbitrary strings are also accepted.
Package synchronization between multiple Orchestrator nodes and the interface can be done either by monitoring the file system or using Redis. This can be configured using the configuration below. The recommended way is through Redis.
Processes.AllowUpdateWithRunningJobs
Specifies whether you can delete a process while having running or pending jobs associated with it. Note that this parameter is hidden by default. The following values are available:
true
- Processes can be deleted while having associated running or pending jobs.false
- Processes cannot be deleted while having associated running or pending jobs. Trying to delete a process, in this case, displays the following error message: "Modifying this process is not possible at the moment, because there are active jobs associated with it. (#1666)". This is the default value.
<add key="Processes.AllowUpdateWithRunningJobs" value="true" />
in the UiPath.Orchestrator.dll.config
file.
Deployment.Libraries.AllowTenantPublish
Enables you to specify whether the tenants using the host feed can or cannot upload libraries into the feed. The following values are available:
true
- Libraries uploaded at the tenant level are propagated to the host feed. This is the default value.false
- Libraries uploaded at the tenant level are not propagated to the host feed. However, note that users do have access to the existing libraries in the feed.
You can configure this from the user interface as well. The corresponding option, Allow Tenant Users to Upload into the Feed, can be found at the host level, on the Settings page. Details here.
Buckets.ContentSecurityPolicy
UiPath.Orchestrator.dll.config
file.
Buckets.AvailableProviders
Orchestrator
, Amazon
, Azure
, Minio
, S3Compatible
solutions and FileSystem
. Multiple values can be entered with a comma separator.
UiPath.Orchestrator.dll.config
file, and only the following providers are selected: Orchestrator
, Amazon
, Azure
, and Minio
. The default behavior is specific to both clean installations and upgrades. If the key is visible, the available providers
are limited to those specified as Buckets.AvailableProviders
values.
Minio
and FileSystem
, add the following key:
<add key="Buckets.AvailableProviders" value="Orchestrator,Amazon,Azure,S3Compatible" />
<add key="Buckets.AvailableProviders" value="Orchestrator,Amazon,Azure,S3Compatible" />
Buckets.FileSystem.Allowlist
Buckets.FileSystem.Allowlist
.
|
character, can be entered. Note that the paths must be fully qualified, either rooted with a drive or a UNC path (e.g. c:\
, c: est
, \\servershare\shared
), and each of them represents a prefix allowed to be used for any bucket. A bucket can be created on that particular path
or any subpath.
Buckets.FileSystem.Allowlist
setting has a series of security implications, you are strongly advised to refer to Using the FileSystem Storage Allowlist Securely before proceeding.
The external authentication providers' configuration has been moved to Identity Server's External Providers page.
WindowsAuth.Enabled
, WindowsAuth.Domain
and AcceptedRootUrls
parameters have to be configured before you can import Active Directory groups.
WindowsAuth.Enabled
Enables or disables Windows Active Directory's user import functionality. To enable the authentication using Windows Active Directory, please configure the external providers in Identity Server.
WindowsAuth.Domain
All domains and subdomains from forests that are 2-way trusted with the domain specified here are available when adding AD users/groups. You can only specify one domain in this parameter.
WindowsAuth.GroupMembershipCacheExpireHours
UiPath.Orchestrator.dll.config
file, with the default value being set to 1
hour.
WindowsAuth.ConvertUsersAtLogin
true
, it converts each local AD user with AD credentials into a directory user after the first login with AD credentials. As an
alternative, you can use the script documented here to convert all the local AD users that have logged in with AD credentials into directory users. This parameter is not displayed
by default in the UiPath.Orchestrator.dll.config
file. It is set to false
by default.
AcceptedRootUrls
,
), such as "https://server1,https://server2"
.
Auth.Cookie.Expire
The amount of time after which you are automatically logged off, in minutes. By default, this is set to 30 minutes.
Auth.Bearer.Robot.Expire
The amount of time after which the bearer token of your Robot expires. By default, it is set to 30 minutes.
Auth.Cookie.ValidateInterval
60
seconds. This parameter is not displayed by default in the UiPath.Orchestrator.dll.config
file. For example, if you want to set it to 20 seconds, add the following key: <add key="Auth.Cookie.ValidateInterval" value="20"/>
.
Auth.DisabledPermissions
<add key="Auth.DisabledPermissions" value="Machines.Delete,Libraries.Delete" />
.
Auth.RememberMe.Enabled
true
, meaning the check box is displayed. Set it to false
to hide it. This setting is not displayed by default in the UiPath.Orchestrator.dll.config
file.
Auth.AllowChangePassword
UiPath.Orchestrator.dll.config
file. The following values are available:
true
- The user can change his password on the Profile page. This is the default value.false
- The user cannot change his password on the Profile page.
Auth.AllowSelfEmailUpdate
true
, meaning you can update it. Set the parameter to false
to make the field read-only. This setting is not displayed by default in the UiPath.Orchestrator.dll.config
file.
ExternalAuth.AccessTokenAuth.Enabled
UiPath.Orchestrator.dll.config
file. The following values are available:
true
- The user can make authenticated requests using an access token issued by Auth0. This is only considered if you set a valid audience for theExternalAuth.AccessTokenAuth.Audience
parameter.false
- The user cannot make authenticated requests using an access token issued by Auth0. This is the default value.
ExternalAuth.AccessTokenAuth.Audience
<add key="ExternalAuth.AccessTokenAuth.Audience" value="https://cloud.uipath.com" />
. This setting is not displayed by default in the UiPath.Orchestrator.dll.config
file.
ExternalAuth.ShowPII
<add key="ExternalAuth.ShowPII" value="true" />
. The key is not displayed by default in UiPath.Orchestrator.dll.config
, and the default behavior does not allow for PII display.
WindowsAuth.GroupMembershipCacheExpireHours
Enables you to configure the AD group membership cache. The default value is 1, meaning changes made to AD group membership are synced with Orchestrator once every hour for active user sessions.
RestrictBasicAuthentication
Moved to Identity Server appsettings.json.
EnableBasicAuthenticationForHostTenant
Moved to Identity Server appsettings.json.
These settings should only be modified if you are using a load balancer.
LoadBalancer.UseRedis
false
.
LoadBalancer.Redis.ConnectionString
LoadBalancer.UseRedis
is set to true
. A connection string that enables you to set up your Redis server, which contains the URL of the server, the password, and
the port used with Redis. It is also possible to enable SSL encrypted connections between the Orchestrator nodes and the Redis
service. For more information, please click here. Examples:
- with SSL enabled -
<add key="LoadBalancer.Redis.ConnectionString" value="DOCWREDIS02:6379,password=12345678,ssl=true" />
- without SSL enabled -
<add key="LoadBalancer.Redis.ConnectionString" value="DOCWREDIS02:6379,password=12345678" />
Plugins.SecureStores
\Orchestrator\Plugins
folder of your installation directory. For example:
- Single Store:
<add key="Plugins.SecureStores" value="UiPath.Orchestrator.CyberArk.dll"/>
-
Multiple Stores:
<add key="Plugins.SecureStores" value="UiPath.Orchestrator.CyberArk.dll,UiPath.Orchestrator.SecureStore.CyberArkCCP.dll,UiPath.Orchestrator.AzureKeyVault.SecureStore.dll"/>
Note: When upgrading an Orchestrator instance with an existing CyberArk integration, this setting is pre-populated with the CyberArk plugin. For all other installations, the setting value is empty by default.
Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath
CLIPasswordSDK64.exe
in a custom installation path. For example, if D:\CustomFolder\
is the CyberArk installation directory, you need to add the following key: <add key="Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath" value="D:\CustomFolder\CLIPasswordSDK64.exe"/>
. The default value of this app setting is C:\Program Files (x86)\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK64.exe
.
Plugins.SecureStores.CyberArk.UsePowerShellCLI
false
. Add the following key to enable it: <add key="Plugins.SecureStores.CyberArk.UsePowerShellCLI" value="true"/>
.
The configuration for Azure AD authentication has been moved to Identity Server's External Providers page.
Logs.RobotLogs.ReadTarget
database
or robotelasticbuffer
).
RobotsLogs.Flush.Interval
UiPath.Orchestrator.dll.config
. Unless specified otherwise, its value is 0 seconds. The following example shows how to set a flush interval of 60 seconds,
which means that the Robot sends logs to the server every 60 seconds.
<add key="RobotsLogs.Flush.Interval" value="60" />
<add key="RobotsLogs.Flush.Interval" value="60" />
RobotsLogs.Flush.BatchSize
UiPath.Orchestrator.dll.config
. Unless specified otherwise, its value is 100 log message entries, which translates to the Robot sending batches of 100 logs
to the server.
<add key="RobotsLogs.Flush.BatchSize" value="100" />
<add key="RobotsLogs.Flush.BatchSize" value="100" />
Logs.RequestAbortedLogBehavior
Specifies the logging behavior for cancellation exceptions which are thrown upon cancellation of an operation that was executing. These are generated, for example, when you click a button, and before the operation is executed, you click a different one. Note that this parameter is hidden by default. The following values are available:
Ignore
- All cancellation exceptions are ignored if the corresponding requests were aborted. This is the default value.Info
- Cancellation exceptions are logged with Info severity level.None
- Cancellation exceptions are logged with Error severity level.
<add key="Logs.RequestAbortedLogBehavior" value="Ignore" />
in the config file.
Logs.Elasticsearch.SharedIndex
index
parameter in the NLog target. For example, <add key="Logs.Elasticsearch.SharedIndex" value="robotlogs" />
. Details here. Note that this parameter is hidden by default.
Logs.Elasticsearch.EnableFolderIdFilter
true
by default, meaning logs are hidden. Set it to false
to display them: <add key="Logs.Elasticsearch.EnableFolderIdFilter" value="false" />
Webhooks settings have been moved to Webhooks Service's appsettings.json file.
Scalability.Heartbeat.PeriodSeconds
30
seconds.
Scalability.Heartbeat.FailureThreshold
4
, meaning that after 2 minutes of failed heartbeats (4 x 30 seconds = 2 minutes), a Robot is flagged as unresponsive.
Scalability.SignalR.Enabled
true
. This parameter is used in the initial seeding of the database. To make changes after installation, use the Settings page, at tenant or host level.
Scalability.SignalR.Transport
Specifies the transport protocol used to connect to Orchestrator's SignalR channels. The following values can be attributed (any combination bitwise OR):
- WebSocketTransport = 1
- ServerSentEventsTransport = 2
- LongPollingTransport = 4
- Default value: 7 (WebSocketTransport | ServerSentEventsTransport | LongPollingTransport)
This parameter is used in the initial seeding of the database. To make changes after installation, use the Settings page, at tenant or host level.
Scalability.AzureSignalR.ConnectionString
Helps you enable Azure SignalR Service, facilitating direct communication between your Robot fleet and the SignalR Service
Scalability.AzureSignalR.ConnectionCount
key. This parameter is enabled in our Cloud offering. It is not displayed by default in the UiPath.Orchestrator.dll.config
file.
<add key="Scalability.AzureSignalR.ConnectionString" value="Endpoint=https://test.signalr.net;AccessKey=M1ug+sBu07hyyi12AgyJ52SEd4OgC2Mm6BvllVHCC9c=;Version=1.0;"
/>
.
Scalability.AzureSignalR.ConnectionCount
5
. Example: <add key="Scalability.AzureSignalR.ConnectionCount" value="7" />
. This setting is not displayed by default and cannot be used without the Scalability.AzureSignalR.ConnectionString
key.
Scalability.SignalR.RequireStickySessions
true
, all transports are enabled, and Orchestrator assumes sticky sessions are enabled on the load balancer. Enabling sticky sessions
in UiPath.Orchestrator.dll.config
without enabling them on the load balancer will result in failed SignalR connections.
Insights.TableCreationRetryCount
3
.
UiPath.Orchestrator.dll.config
file.
Insights.TableCreationRetryBackoffSeconds
60
.
UiPath.Orchestrator.dll.config
file.
Telemetry.Enabled
Enables or disables the usage and performance data collection that UiPath uses to help diagnose problems and improve Orchestrator. For more details about UiPath’s privacy practices, please review the privacy statement. The following values are available:
true
- The telemetry feature is enabled. This is the default value.false
- The telemetry feature is disabled.
It is also possible to opt-in or out of the performance and usage data collection when you install or update your Orchestrator instance, as described here.
MediaRecording.Enabled
true
to enable the recording feature. By default, it is set to false
, meaning the feature is disabled. File storage is impacted by the NuGet.Repository.Type
parameter, and configured using the Storage.Type
and Storage.Location
parameters when NuGet.Repository.Type
is set to Composite
.
Pagination.Limits.Enabled
true
by default for Cloud Platform and clean installs of on-premise Orchestrator instances. Adds a default $top
value for all calls to API endpoints with pagination parameters (e.g. odata/Users
).
Triggers.DisableWhenFailedCount
Triggers.DisableWhenFailedCount
allows you to adjust the number of failed runs whereas Triggers.DisableWhenFailingSinceDays
enables you to change the number of days. By default, the Triggers.DisableWhenFailedCount
value is 10, and the Triggers.DisableWhenFailingSinceDays
value is 1, which means that the trigger is disabled after 10 unsuccessful attempts to launch if there were no successful
runs in the past day.
Triggers.JobsCountStrategy
Enables you to choose the job count strategy for jobs launched through triggers. Hidden by default. The following options are available:
PerProcess
- A trigger launches the required number of jobs taking into account any pending jobs for the specified process. E.g., two triggers defined for the same process launch 3 and 5 jobs, respectively. If the first trigger launches 3 jobs at a given point in time, when the second trigger is set off, 2 jobs are launched so as to reach the 5 required jobs. Add the following key in the config file to use this strategy:<add key="Triggers.JobsCountStrategy" value="PerProcess" />
. This is the default value.PerTrigger
- A trigger launches the required number of jobs taking into account any existing jobs previously launched by that same trigger. E.g., a trigger is defined to launch 9 jobs at a given point in time. If 2 jobs have been successfully completed by the time this trigger is set off again, Orchestrator launches another 2 jobs so as to reach the 9 required jobs. Add the following key in the config file to use this strategy:<add key="Triggers.JobsCountStrategy" value="PerTrigger" />
.NoLimit
- The trigger launches the required number of jobs irrespective of any existing, pending jobs. E.g., a trigger is defined to launch 5 jobs at a given point in time. The second time the trigger is set off, another 5 jobs are launched. Add the following key in the config file to use this strategy:<add key="Triggers.JobsCountStrategy" value="NoLimit" />
.
PreventAutoRefresh.Enabled
<add key="PreventAutoRefresh.Enabled" value="true" />
key can be added to restrict auto-refreshing of the page when jobs are running. The key is not displayed by default, and
the default value is false
meaning Orchestrator auto-refreshes the page for each new job.
PreventAutoRefresh.Enabled
parameter.
QueueActivation.TriggerCache.Expiration.Minutes
Control how simple quartz triggers are generated for queues with associated Queue Triggers.
- If set to
0
, a quartz trigger is generated for each item added in a queue. - If set to a value larger than 0, the system checks if there’s already a quartz trigger created for that queue and prevents
it from creating another one. The restriction is removed when the Queue Trigger conditions are met. If the Queue Trigger fails
to do this, the restriction is removed according to the value set for the
QueueActivation.TriggerCache.Expiration.Minutes
parameter. The default value is5
.
Features.ClassicFolders.Enabled
false
, meaning classic folders are disabled, and only modern folders are available. This parameter is hidden by default.
Jobs.TerminatingJobsTimeout
1440
, meaning jobs can't be marked as Failed unless they have been in a Terminating state for at least one day. This parameter
is hidden by default.
Jobs.TerminatingJobsCleanupCron
Jobs.TerminatingJobsTimeout
parameter. The default values are 0 0 0/3 1/1 * ? *
for Jobs.TerminatingJobsCleanupCron
, and 1440
for Jobs.TerminatingJobsTimeout
, meaning the background job runs once every three hours and only transitions to Failed the jobs that have been in a Terminating
state for at least one day. This parameter is hidden by default.
PW.StopExploringCron
0 25 * ? * *
meaning the background job runs at minute 25 of every hour. If they do not have the required permissions, the explore sessions
are terminated. This parameter is hidden by default.
Features.LongRunning.Enabled
<add key="Features.LongRunning.Enabled" value="true" />
.
Tasks.ModuleEnabled
<add key="Tasks.ModuleEnabled" value="true" />
. This setting makes the feature available at the instance level. To configure it on a per-tenant basis, follow the steps
here. The Features.LongRunning.Enabled
parameter needs to be set to true
for this setting to take effect.
Features.SmartCardAuthentication.Enabled
<add key="Features.SmartCardAuthentication.Enabled" value="true" />
.
ActiveDirectory.SearchInputMinimumLength
UiPath.Orchestrator.dll.config
file. Example: <add key="ActiveDirectory.SearchInputMinimumLength" value="4" />
.
ActiveDirectory.SearchResultsSizeLimit
UiPath.Orchestrator.dll.config
file. Example: <add key="ActiveDirectory.SearchResultsSizeLimit" value="30" />
.
ActiveDirectory.SearchResultsTimeLimitSeconds
UiPath.Orchestrator.dll.config
file. Example: <add key="ActiveDirectory.SearchResultsSizeLimit" value="40" />
.
OData.BackwardsCompatible.Enabled
true
, special characters in the body of requests and responses are parsed. By default, this parameter is hidden and set to false
.
NotRespondingRobotsJobStartDelay
UiPath.Orchestrator.dll.config
.
Upload.Queues.MaxNumberOfItems
15000
. Please note that this parameter is not displayed by default in UiPath.Orchestrator.dll.config
.
Processes.FilterOutDeleted
Enables you to optimize how Orchestrator retrieves processes. Optimization is achieved by removing unnecessary verifications for orphaned processes whose associated packages were deleted. This improves the overall performance of your instance, especially if it's a large deployment. The following values are available:
false
- Package retrieval is optimized; verifications are not performed for orphaned processes.true
- Package retrieval is not optimized.
true
by default, meaning process retrieval is not optimized.
CertificatesStoreLocation
<add key="CertificatesStoreLocation" value="LocalMachine" />
. Make sure that AzureKeyVaultCertificateStoreLocation
in appsettings.Production.json has the same value.
The encryption key used to secure passwords in credential assets. If you are using an environment with a network load balancer, this key should be the same for all machines.
EncryptionKeyPerTenant.Enabled
is set to true
, and EncryptionKeyPerTenant.KeyProvider
set to AzureKeyVault
. Additionally, ensure that you provide all key, secret, and certificate permissions to your Orchestrator instance, in the
Access policies of your Azure Key Vault. For the full procedure, please see this page.
ae11aa1a-1234-1234-a123-a12a12aaa1aa
format. This setting is not displayed by default in the UiPath.Orchestrator.dll.config
file. Example: <add key="Azure.KeyVault.ClientId" value="ae11aa1a-1234-1234-a123-a12a12aaa1aa" />
.
UiPath.Orchestrator.dll.config
file. Example: <add key="Azure.KeyVault.CertificateThumbprint" value="1234123412341234123412341234124312341234" />
.
https://CustomVaultName.vault.azure.net/
format. This setting is not displayed by default in the UiPath.Orchestrator.dll.config
file. Example: <add key="Azure.KeyVault.VaultAddress" value="https://CustomVaultName.vault.azure.net/" />
.
This section contains settings for configuring SSO login, S2S access tokens, and Robot provisioning access tokens.
The following parameters allow you to configure SSO login through the Identity Server:
ExternalAuth.System.OpenIdConnect.Enabled
true
.
ExternalAuth.System.OpenIdConnect.Authority
https://Orchestrator/Identity
, where Orchestrator
is the installation address of your Orchestrator.
ExternalAuth.System.OpenIdConnect.ClientId
Enables you to set the Orchestrator application ID (clientId) registered insider Identity Server. The value is generated at install time and saved within Identity Server.
ExternalAuth.System.OpenIdConnect.ClientSecret
Enables you to set the Client Secret for the Orchestrator application to be recognized by the external authentication system. The value is generated at install time and saved within Identity Server.
ExternalAuth.System.OpenIdConnect.RedirectUri
http://Orchestrator/signinsystemopenidconnect
.
ExternalAuth.System.OpenIdConnect.PostLogoutRedirectUri
The address that Identity Server redirects to after a user logs out of Orchestrator. This value is automatically populated with your Orchestrator URL.
UiPath.Orchestrator.dll.config
should contain these keys:
<add key="ExternalAuth.System.OpenIdConnect.Enabled" value="true" />
<add key="ExternalAuth.System.OpenIdConnect.Authority" value="https://Orchestrator/Identity" />
<add key="ExternalAuth.System.OpenIdConnect.ClientId" value="orchestrator" />
<add key="ExternalAuth.System.OpenIdConnect.ClientSecret" value="49C1A7E1-0C79-4A89-A3D6-A37998FB86B0" />
<add key="ExternalAuth.System.OpenIdConnect.RedirectUri" value="https://Orchestrator/signinsystemopenidconnect" />
<add key="ExternalAuth.System.OpenIdConnect.PostLogoutRedirectUri" value="https://Orchestrator/" />
<add key="ExternalAuth.System.OpenIdConnect.Enabled" value="true" />
<add key="ExternalAuth.System.OpenIdConnect.Authority" value="https://Orchestrator/Identity" />
<add key="ExternalAuth.System.OpenIdConnect.ClientId" value="orchestrator" />
<add key="ExternalAuth.System.OpenIdConnect.ClientSecret" value="49C1A7E1-0C79-4A89-A3D6-A37998FB86B0" />
<add key="ExternalAuth.System.OpenIdConnect.RedirectUri" value="https://Orchestrator/signinsystemopenidconnect" />
<add key="ExternalAuth.System.OpenIdConnect.PostLogoutRedirectUri" value="https://Orchestrator/" />
UiPath.Orchestrator.dll.config
:
IdentityServer.Integration.Enabled
true
.
IdentityServer.Integration.Authority
https://Orchestrator/Identity
, where Orchestrator
is the installation address of your Orchestrator.
IdentityServer.Integration.ClientId
Enables you to set the application Id (Client Id) used to generate S2S access tokens registered inside Identity Server. The value is generated at install time.
IdentityServer.Integration.ClientSecret
Enables you to set the Client Secret for the Orchestrator S2S application to be recognized by Identity Server. The value is generated at install time.
IdentityServer.Integration.AccessTokenCacheBufferInSeconds
50
.
IdentityServer.Integration.UserOrchestratorApiAudience
OrchestratorApiUserAccess
.
<add key="IdentityServer.Integration.Enabled" value="true" />
<add key="IdentityServer.Integration.Authority" value="https://Orchestrator/Identity" />
<add key="IdentityServer.Integration.ClientId" value="orchestratorapiaccess" />
<add key="IdentityServer.Integration.ClientSecret" value="a5d57b1d-5b25-49ba-bff7-33aa57f96a58" />
<add key="IdentityServer.Integration.AccessTokenCacheBufferInSeconds" value="50" />
<add key="IdentityServer.Integration.UserOrchestratorApiAudience" value="OrchestratorApiUserAccess" />
<add key="IdentityServer.Integration.Enabled" value="true" />
<add key="IdentityServer.Integration.Authority" value="https://Orchestrator/Identity" />
<add key="IdentityServer.Integration.ClientId" value="orchestratorapiaccess" />
<add key="IdentityServer.Integration.ClientSecret" value="a5d57b1d-5b25-49ba-bff7-33aa57f96a58" />
<add key="IdentityServer.Integration.AccessTokenCacheBufferInSeconds" value="50" />
<add key="IdentityServer.Integration.UserOrchestratorApiAudience" value="OrchestratorApiUserAccess" />
UiPath.Orchestrator.dll.config
:
IdentityServer.S2SIntegration.Enabled
UiPath.Orchestrator.dll.config
.
IdentityServer.Integration.S2SOrchestratorApiAudience
OrchestratorApiS2SAccess
.
UiPath.Orchestrator.dll.config
also contains the following pre-existent keys with their values set to true
:
MultiTenancy.AllowHostToAccessTenantApi
true
, it allows the host users to access other tenants' specific data. By default, the value is set to true
.
MultiTenancy.TenantResolvers.HttpGlobalIdHeaderEnabled
true
setting allows Orchestrator to identify the tenant by reading the tenant global id from the API's request header.
<add key="IdentityServer.S2SIntegration.Enabled" value="true" />
<add key="IdentityServer.Integration.S2SOrchestratorApiAudience" value="OrchestratorApiS2SAccess" />
<add key="MultiTenancy.AllowHostToAccessTenantApi" value="true" />
<add key="MultiTenancy.TenantResolvers.HttpGlobalIdHeaderEnabled" value="true" />
<add key="IdentityServer.S2SIntegration.Enabled" value="true" />
<add key="IdentityServer.Integration.S2SOrchestratorApiAudience" value="OrchestratorApiS2SAccess" />
<add key="MultiTenancy.AllowHostToAccessTenantApi" value="true" />
<add key="MultiTenancy.TenantResolvers.HttpGlobalIdHeaderEnabled" value="true" />
Orchestrator acts as a Token Generator for Robots. Robots call the Orchestrator endpoint to generate an access token. The access token is then passed to activities that can call different resources, such as AI Fabric. With the integration of Identity Service with Orchestrator, Identity Server takes over the access tokens' generation.
UiPath.Orchestrator.dll.config
key: <logger name="Robot.*" writeTo="database,robotElasticBuffer" final="true" />
. It is used to configure log messages generated by Robots. The following parameters have to be configured:
-
writeTo
- The location where log messages generated by the Robot are written. The following values are available:database
- Logs are sent to Orchestrator's SQL database. This is one of the default values.-
robotElasticBuffer
- Logs are sent to Elasticsearch. This is the second default value. Please remember this requires additional settings. Details here.Having logs sent both to the Orchestrator's SQL database and Elasticsearch enables you to have non-repudiation logs. Delete one of the values to stop logging to that location.
final
- A flag that indicates what to do when a match between a logged message and the logger name is found. When set totrue
, it does not look for another match. When set tofalse
, other rules matching the same source are checked. By default, it is set totrue
.
UiPath.Orchestrator.dll.config
key: <logger name="Quartz.*" minlevel="Info" writeTo="eventLogQuartz" final="true" />
. It is used to configure log messages generated by schedules.
quartz.jobStore.clustered
parameter to true
.
UiPath.Orchestrator.dll.config
key: <logger name="Monitoring.*" writeTo="monitoring" minlevel="Warn" final="true" />
. It is used to configure the error logs displayed on the Monitoring page. Please note if you remove this rule or alter the target
, no error logs will display on the Monitoring page.
UiPath.Orchestrator.dll.config
key: <logger name="BusinessException.*" minlevel="Info" writeTo="businessExceptionEventLog" final="true" />
. It is used to configure the logs for thrown business exceptions. For example validation issues (e.g Invalid username
) or business conflicts (e.g. License expired
).
UiPath.Orchestrator.dll.config
key: <logger name="*" minlevel="Info" writeTo="eventLog" />
. It is used to configure all other logs besides the ones described above, including those generated by Orchestrator.
Learn about additional settings.
The following NLog target must be populated according to your Elasticsearch configuration:
<target xsi:type="ElasticSearch" name="robotElastic" uri="<elasticSearch_url_1>,<elasticSearch_url_2>, <elasticSearch_url_3>" index="${event-properties:item=indexName}-${date:format=yyyy.MM}" documentType="logEvent" includeAllProperties="true" disablePing="true" layout="${message}" excludedProperties="agentSessionId,tenantId,organizationUnitId,indexName" />
<target xsi:type="ElasticSearch" name="robotElastic" uri="<elasticSearch_url_1>,<elasticSearch_url_2>, <elasticSearch_url_3>" index="${event-properties:item=indexName}-${date:format=yyyy.MM}" documentType="logEvent" includeAllProperties="true" disablePing="true" layout="${message}" excludedProperties="agentSessionId,tenantId,organizationUnitId,indexName" />
uri
- the Elasticsearch URL; note that you have to include the protocol and port, such ashttp://elastic_server:9200
. You can remove the need for a load balancer by populating this parameter with the Elasticseach URL of each node, such asuri="http://elastic-node1:9200,http://elastic-node2:9200,http://elastic-node3:9200"
.excludedProperties
- data that you do not want to be saved to Elasticsearch.index
- the format of the logging index, which can be either unique per tenant or shared across all tenants. Details below.
- Individual Index -
index="${event-properties:item=indexName}-${date:format=yyyy.MM}"
A separate index is used for each tenant, meaning that logs specific to one tenant are generated and retrieved based on a unique tenant identifier, in this case,indexName
, which defaults to the name of the tenant. This is the default configuration. In this case, logs are generated per month. -
Shared Index -
index="robotlogs-${date:format=yyyy.MM.dd}"
One index is used for all tenants, meaning that all logs use the same index regardless of the tenant. In this case, logs are generated per day. To use a shared index, you are also required to add the following key inUiPath.Orchestrator.dll.config
:<add key="Logs.Elasticsearch.SharedIndex" value="robotlogs" />
. Make sure to set it to the same value as for theindex
parameter in the NLog target.Important: Logs generated using an individual index are kept if you shift to a shared index. However, logs generated using a shared index are lost if you shift to an individual one.
To store system event logs in the database rather than Event Viewer, follow these steps:
-
Create a new database table, for example:
CREATE TABLE [dbo].[EventLogs]( [Id] [bigint] IDENTITY(1,1) NOT NULL, [Timestamp] [datetime] NOT NULL, [Level] [int] NOT NULL, [Message] [nvarchar](max) NULL, [Exception] [nvarchar](max) NULL)
CREATE TABLE [dbo].[EventLogs]( [Id] [bigint] IDENTITY(1,1) NOT NULL, [Timestamp] [datetime] NOT NULL, [Level] [int] NOT NULL, [Message] [nvarchar](max) NULL, [Exception] [nvarchar](max) NULL)In the above query, we create a table namedEventLogs
with the following columns:Id
- to hold an ID number for each log, here starting with1
and incrementing the value with each log added;Timestamp
- to hold the time each event was logged;Level
- to hold the numerical logging level of each event;Message
- to hold the message of each event, if applicable;-
Exception
- to hold the exception logged for each event, if applicable.Note: You can use any name for your table, and remove any columns from the above query or add others to suit your needs.
-
In the
UiPath.Orchestrator.dll.config
file, add a new NLog target:<target xsi:type="Database" connectionString="${ui-connection-strings:item=Default}" name="eventLogDatabase" keepConnection="true"> <commandText> INSERT INTO dbo.EventLogs (Timestamp, Level, Message, Exception) VALUES (@timestamp, @level, @message, @exception) </commandText> <parameter name="@timestamp" layout="${date:format=yyyy-MM-dd HH\:mm\:ss.fff}" /> <parameter name="@level" layout="${event-properties:item=levelOrdinal}" /> <parameter name="@message" layout="${message}" /> <parameter name="@exception" layout="${onexception:${exception:format=tostring:maxInnerExceptionLevel=5:innerFormat=tostring}}" /> </target>
<target xsi:type="Database" connectionString="${ui-connection-strings:item=Default}" name="eventLogDatabase" keepConnection="true"> <commandText> INSERT INTO dbo.EventLogs (Timestamp, Level, Message, Exception) VALUES (@timestamp, @level, @message, @exception) </commandText> <parameter name="@timestamp" layout="${date:format=yyyy-MM-dd HH\:mm\:ss.fff}" /> <parameter name="@level" layout="${event-properties:item=levelOrdinal}" /> <parameter name="@message" layout="${message}" /> <parameter name="@exception" layout="${onexception:${exception:format=tostring:maxInnerExceptionLevel=5:innerFormat=tostring}}" /> </target>Defining a correspondingparameter
for the data to be added in each database column, in this example@timestamp
,@level
,@message
, and@exception
. -
Lastly, associate the newly created target with the NLog logger classification for all Orchestrator messages, from above, by adding:
<logger name="*" minlevel="Info" writeTo="eventLog,eventLogDatabase" />
<logger name="*" minlevel="Info" writeTo="eventLog,eventLogDatabase" />
NLog is an open-source, easily configured, and extensible logging platform for a variety of .NET platforms. With NLog, you can store or pass log data to any number of predefined or custom targets, such as a local file, an event log, email, or database.
Trace
,
Debug
, Info
, Warn
,
Error
, Fatal
, or Off
. See Logging Levels for a
description of the available levels in Orchestrator.
Off
, it is enabled by configuring the following section
of the UiPath.Orchestrator.dll.config
file:
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Off" internalLogFile="">
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Off" internalLogFile="">
The attributes which must be set are:
internalLogLevel
- the desired logging levelinternalLogFile
- the location of the log file
For example:
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Debug" internalLogFile="C:\logs.txt">
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Debug" internalLogFile="C:\logs.txt">
internalLogFile
.
- App Settings
- Advanced Installation Settings
- Queues
- Alerts
- Deployment
- Storage Buckets
- Authorization
- Load Balancer
- Password Vault
- Azure AD Authentication
- Logs
- Webhooks
- Scalability
- Insights
- Analytics
- Media Recording
- Pagination
- Triggers
- Others
- SecureAppSettings
EncryptionKey
Azure.KeyVault.ClientId
Azure.KeyVault.CertificateThumbprint
Azure.KeyVault.VaultAddress
- Identity Server Settings
- Single Sign-On
- Integration
- Robot Provisioning Access Tokens
- Logging Configuration
- Robot Logs
- Schedules Logs
- Monitoring Logs
- Business Exception Logs
- Other Logs
- Additional Settings
- Elasticsearch
- Index Configuration
- Logging Events in the Database
- Enabling NLog Debugging