How to enable Kerberos authentication?
Event Viewer Logs
The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request
- Package name indicates which sub-protocol was used among the NTLM protocols
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
The logon for the user failed with status 0xc00002fd.
In a case below, the user password had to be changed a few times before the ticket moves from rc4 to aes256.
- Check below documents Kerberos And Mim
It sounds like to be an ad domain issue. Try resetting password 6 or more times as explained above. It would be nice to purge tickets afterwards.
Steps Need To Be Perform
For the Kerberos Perform the below steps on the same user i.e. Current application user/Machine with elevated rights
To perform this change, perform the following steps:
- Open the Command Prompt
- Change the directory to C:\Windows\System32, by using the cd C:\Windows\System32 command
- Give the setspn.exe -a HTTPS:// command, where:
HTTPS:// - represents the URL at which your Orchestrator instance is reachable, such as https://DocOrch.uipath.local;
- - represents the name or domain\name of the machine on which Orchestrator is installed, or the user account, such as doc team or uipath.local\docteam.
Steps to enable Kerberos Event Logging
- Start Registry Editor
- Add the following registry value:
- Registry Value: LogLevel
- Value Type: REG_DWORD
- Value Data: 0x1
- If the Parameters subkey does not exist, create it.
- Quit Registry Editor. The setting will become effective immediately on Windows Server 2012 R2, Windows 7, and later versions.
- Find any Kerberos-related events in the system log.
- See SQL Server failing to authenticate Network Service account, which is the machine account. Check the application pool account configured before switching to NetworkService account.
- To workaround the issue, need to either one of the 2 options below,
- Allow SQL Server access for the machine account.
- Switch to SQL Authentication in the config files.
After successfully change the logon of the webpools to Network Service and Orchestrator. However, if still encountering the login prompt when disabling RC4 encryption, check below point,
- AES encryption needs to be enabled on the Client side GPO.
This caused the Kerberos to fail until the client machine could leverage AES. Once the client and server have the same GPO encryption policy for Kerberos, the issue will be resolved with the popup.