How to enable Kerberos for Windows Authentication in Automation Suite?
How to enable Kerberos post AS installation?
In order to enable SSO with windows Authentication , Automation Suite relies on Kerberos Authentication which allows to configure Windows Authentication making user onboarding easier by allowing to add Windows AD groups or user to our Automation Suite Services.
- Ensure the Automation Suite cluster should be in the same network as the AD domain server. In order to check this, do a nslookup from one of the server in the cluster to the domain server, and it should respond back with the server IP address.
Note: Connect to one of the server node in the cluster.
- nslookup
- Setting up Kerberos Authentication needs an AD user which should have 2 important characteristics, the user password should never expire and it should have Kerberos 256 bit encryption. This can be verified by looking at the properties of the user.
- Use Powershell to execute the below query
Get-ADUser -Identity -Properties "PasswordExpired","KerberosEncryptionType"
- In the example below, query the AD User “gourav” and the properties for the user
- These properties can both be set in the AD GUI for the user: 
- Once the user is set up correctly in Active Directory. The next step is to generate the keytab file for the user using the below command
<ktpass -princ HTTP/@ -pass -mapuser \ -pType KRB5_NT_PRINCIPAL -out -crypto AES256-SHA1>
- Encode the generated keytab file in Base64, open PowerShell, and execute the following command.
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes(""))
- Once the base64 values is obtained, use the same to enable Kerberos for Windows Authentication, by running the command below.
Note: Run the below command on one of the server node in the cluster
cd /opt/UiPathAutomationSuite
./configureUiPathAS.sh identity kerberos-auth global-config update --enabled [kerberos-enabled] --adDomain [ad-domain] --username [default-ad-username] --keytab [default-ad-user-keytab] --lifetime [ticketLifeTimeInHour]