Insights Installation Failure Due to Kerberos Keytable Issues

Why is it not possible to proceed with Insights installation using Windows auth to connect to the SQL DB?

Issue Synopsis: Sometimes, during the installation of Insights, the below errors are thrown at the DB configuration step while attempting to connect to the SQL DB using the Windows credentials.

  • "Unable to construct Kerberos keytable file."
  • "Failed to authenticate to Kerberos server using keytable."

Resolution: To resolve the above errors, follow the below troubleshooting steps,

  1. Prerequisites: Ensure to follow the prerequisites mentioned here,

  1. SQL Permissions: Re-validate that your user has been provided the permissions elaborated here: Insights SQL DB Permissions
  • Regardless of the type of user (domain or SQL) that needs to be connected to SQL Server, assign it the dbcreator Server Role BEFORE installing Insights. If security restrictions do not allow the use of the dbcreator Server Role in the service account, create the empty database in SQL Server. The schema / tables within the DB are created when the Insights feature is enabled in the Orchestrator installer.

  1. Windows Authentication Considerations: While using Windows Authentication to connect to the DB, note the below,
  • For this option, a new login is required for the SQL Server as a service account. The service account should be a domain user whose password never expires.
  • The Windows username used to connect to SQL is case sensitive. Hence, ensure you have entered the correct case.
  • To enable Windows Authentication, SQL Server needs to support authentication through the Kerberos protocol. Hence, ensure that Kerberos authentication is enabled before proceeding with the Insights install. To validate if Kerberos is enabled correctly, run the below SQL query in the DB,

"SELECT auth_scheme FROM

sys.dm_exec_connections WHERE session_id = @@spid ;"

This should return "Kerberos" if you want to leverage Windows auth to connect to the DB.

  • More info. here --> Expand the "Windows Integration Authentication " option
  • Known issue with passwords that include an "ampersand" (&) that does not get escaped for some reason when the Kerberos keytable file is generated. If this scenario is applicable, change the password to not have an ampersand. UiPath Product team is aware of this limitation and is working on a fix for the upcoming releases. In general, it is a good idea to validate if a suitable password is present whenever it contains special characters. Test whether the password is valid or not with this command:

ktpass /out {outputFilepath} /princ {principal} /mapuser {principal} /pass {password} /crypto all /ptype KRB5_NT_PRINCIPAL -setpass

Where principal is "username@domain"

For example, if password has an ampersand (&,) which has been known to cause issues as mentioned above, you will get the following result:

  1. SQL Authentication: Lastly, as a workaround, consider leveraging SQL authentication as opposed to Windows authentication for connecting to the DB during the Insights installation, in order to bypass the above discussed errors.