How To Configure Cross Sub-Domain Windows Authentication In Orchestrator?

In this scenario, there are two sub-domains which is a part of the parent domain. In order to configure windows authentication in such a scenario, what are the prerequisites and how to troubleshoot?

Error Message: Error example that we see in the event logs

Applications log -> Microsoft -> Windows -> NTLM

The prerequisite are as follows,

  1. Enable Windows authentication in IIS, and make changes in the web.config file of Orchestrator
  2. Import the users from Active Directory
  3. Ensure the users under which application pool is running should have read access to Active Directory. To check which user under which application pool is running, go to IIS -> Application Pool -> UiPath Orchestrator
  1. If there are two sub-domains involved, ensure that there is two - way trust relationship between both the sub-domains. In order to confirm the same, login into the system / machine which is in sub-domain for ex with a user account which is in another sub-domain . This will help us validate the relationship, at the same time the IT team should confirm on the same.
  1. By default , Orchestrator uses NTLM authentication for windows account. To ensure traffic coming from NTLM server is allowed , we have to ensure that the policy Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options should say "Allow all"

However, if the above prerequisite do not help perform the below,

Troubleshooting Steps
  1. Check the event viewer logs Applications log -> Microsoft -> Windows -> NTLM to see for any error , and take appropriate action accordingly.
  2. Also follow the How to turn on NTLM audit logging on a Windows 2008 DC to troubleshoot NTLM authentication errors for Web Gateway documentation to understand how to enable NTLM logging .