# Configuring the Active Directory Integration > You can enable SSO using Windows authentication and enable the directory search functionality with the Active Directory integration. Directory search lets you search for directory accounts and groups from Orchestrator and work with them as you would with local accounts. You can enable SSO using Windows authentication and enable the directory search functionality with the Active Directory integration. Directory search lets you search for directory accounts and groups from Orchestrator and work with them as you would with local accounts. :::note After enabling this integration, local user accounts are linked to an Active Directory user and, in the process, their username attribute is updated to the format `user@domain`. Thus the user can no longer use their original username to sign in and must instead use the new username in the format `user@domain`, or the email address tied to the Active Directory account. ::: :::important **Prerequisites** * To integrate with Windows Active Directory (AD) and use Windows Authentication, LDAP port 389 must be accessible on one or more domain controllers in your domain. * Work with your IT administrators to ensure the Orchestrator server can access your Active Directory (AD). * If you plan on using LDAP over SSL (LDAPS), you must obtain and install certificates for configuring secure LDAP on each domain controller. For more information and instructions, see the [LDAP over SSL (LDAPS) Certificate](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) article on the Microsoft website. ::: ## About Integration Options When users log in to Orchestrator with their Active Directory credentials, Orchestrator uses the [Kerberos](https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview) protocol to authenticate users. ## Step 1. Configure the Orchestrator Cluster (Kerberos Only) If you do not want to use the Kerberos protocol for authentication, skip to the next step. ### Requirements for multi-node clusters * The nodes in the cluster must be deployed under a load balancer. Use the load balancer host name whenever the hostname is required in these instructions. * The Orchestrator application pool must be configured to run under a custom identity. The custom identity should be a domain account. ### Setting a Custom Identity This is only required if you are running a multi-node cluster, or a single-node cluster with a load balancer. For single-node clusters with no load balancer, this is optional. 1. Open IIS (Internet Information Services Manager). 2. In IIS, in the **Connections** panel on the left, select **Application Pools**. 3. Go to **Identity** > **Advanced Settings** > **Process Model** > **Identity**. 4. In the **Application Pool Identity** dialog, select **Custom account** and specify a domain-qualified user account. 5. Select **OK** to apply your changes. 6. Close IIS. !['Internet Information Services Manager' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-internet-information-services-manager-image-233270-1c7a5360.webp) ### SPN Setup If the Orchestrator application pool is configured to run under a custom identity, that account must have an SPN registered for the host name. This step is required if you are running: * a multi-node cluster because you must define a custom identity or * a single-node cluster with a load balancer, which is treated the same as a multi-node cluster. This step is not required if: * you are running a single-node cluster with no load balancer and * you chose to use a custom identity, but you used the cluster computer name as the custom identity On a domain-joined machine that has write access in the target Orchestrator organization and tenant: 1. Open the Command Prompt. 2. Change the directory to `C:\Windows\System32`, by using the `cd C:\Windows\System32` command. 3. Run the command `setspn.exe -a HTTP/ `, where: * HTTP/<hostname> - The URL at which your Orchestrator instance can be accessed. * `` - The name or domain\name of the custom identity as which the Orchestrator application pool is running. ## Step 2. Configure IIS to Enable Windows Authentication :::note If you have a multi-node installation, you must perform IIS configuration on each of your cluster nodes. ::: 1. Open IIS (Internet Information Services Manager). 2. In the **Connections** section, under the **Sites** node, select **UiPath Orchestrator**. 3. In the main panel, select **Authentication** to view the details. 4. Select **Windows Authentication** and then, in the **Actions** panel on the right, select **Advanced Settings**. :::note If not already enabled, enable Windows Authentication to continue with these instructions.!['Internet Information Services Manager' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-internet-information-services-manager-image-231092-8060a422.webp) ::: 5. Select the **UiPath Orchestrator** site on the left, and then select **Configuration Editor** in the main area. !['Internet Information Services Manager' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-internet-information-services-manager-image-229336-fc63d86c.webp) 6. In the **Configuration Editor**, along the top, from the **Section** list, select **system.webServer/security/authentication/windowsAuthentication**. 7. For **useAppPoolCredentials**, set the value to **True**: ## Step 3. Configure Orchestrator 1. Log in to the [Management portal](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/about-the-host-level#host-management-portal) as a system administrator. 2. Go to **Users** and select the **Authentication Settings** tab. 3. In the **External Providers** section, select **Configure** under **Active Directory**: ![docs image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-docs-image-226347-afec2147.webp) The **Configure Active Directory** panel opens at the right of the screen. 4. Select the **Enabled** checkbox. 5. If you want to only allow users to log in using their Active Directory credentials, select the **Force automatic login using this provider** checkbox. If selected, users can no longer log in using their Orchestrator username and password; they must use their Active Directory credentials, with a domain-qualified username. 6. If you want to use the Kerberos protocol for authentication, select the **Use Kerberos Auth** checkbox. We recommend using Kerberos. * If you select this option, users are automatically signed in to Orchestrator without needing to enter their credentials. * If you do not select this option, the default NTLM protocol is used and users must enter their Active Directory credentials to log in. 7. Optionally edit the value in the **Display Name** field to customize the label for the Windows authentication button that is displayed on the Login page. 8. Restart the IIS site. This is required whenever you make changes to External Providers. ## Step 4. Verify the Authentication Protocol Now that the integration is configured, we recommend performing a test login using AD credentials and verifying that your chosen authentication protocol (NTLM or Kerberos) is used for logging in. 1. Log in to Orchestrator using your Active Directory credentials to create a login event. Note the time when you logged in. 2. Open **Event Viewer** in Windows. 3. Go to **Window Logs** > **Security**. 4. In the list of security events, look for the entry with the following specifics: * **Event ID**: 4624 * **Date and Time**: Today's date and the time when you logged in with your Active Directory credentials. 5. Select the row to open the event properties dialog. 6. On the **General** tab, scroll down to the Detailed Authentication Information section and check the following: !['General tab in Event properties' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-general-tab-in-event-properties-image-226363-979e9132.webp) If Kerberos authentication was used: * the value of **Authentication Package** must be **Negotiate** * the value of **Package Name** must be blank (`-`) because this only applies for NTLM. If this value is **NTLM V2**, then the default authentication protocol was used and not Kerberos. In Google Chrome incognito mode, the browser prompts for credentials and it does an explicit authentication with credentials. The flow does work and it uses Kerberos.