Orchestrator Active Directory Domain Unreachable

Help Orchestrator
, , ,
1

I have made some progress trying to integrate Windows Active Directory with Orchestrator. Now when I click to sign in using Windows credentials, I receive the following error.

image
image1918×935 25.5 KB

Can anyone explain why this error is occurring and what I might have to do in order to fix it? Thanks

2

Next step would be to review Logs in the Windows Event Viewer > Windows Logs > Application to get the full error message and go from there. Depending on your Orchestrator version (Assuming >2020) you can Filter the Event Sources to IdentityService, Orchestrator, Orchestrator.BusinessException, WebhookService for the sources related to the Orchestrator Installation.

If you can detail the steps you have taken in your setup for Integrating Windows AD with Orchestrator as well as what version of Orchestrator you are using, that would be helpful for other to offer suggestions.

You can also inspect your Browser’s Network traffic to see which call here is failing, I believe it is the /api/DirectoryService/GetDomains endpoint, which you could use to replicate the issue without having to reproduce the steps via the Web UI.

3

Thank you for the response. I am having trouble finding the error log in the even viewer after a failed login. Is it possible you could post some screenshots on how to filter to Orchestrator

4

@codemonkee

I am getting the following error in the Event Viewer Logs when I attempt to sign into Orchestrator using Active Directory:

“Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: This app can’t be activated by the Built-in Administrator.”

Any idea why? Thanks

5

When you are looking in Event Viewer and one of the Logs on the right hand side you’ll have Filter Current Log.

You can use this to filter as you see fit, but I generally only filter by the mentioned Event Sources in my earlier post.

image
image1109×281 28.1 KB

Another option is to create a Custom View, by Right Clicking on one of the folders. That way you don’t have to filter the logs every time.

image

6

Please try and stick posting an ask once as I see you opened a new topic specific to the Cortana Error.

It is also helpful as you Ask and Resolve each individual problem if they are related to reference the other posts, so those helping have context for what you have done thus far in your journey to configure Orchestrator.

7

@codemonkee : Hi, I work with @jpreziuso
This is the error in Event Viewer:
2022-08-17 11:16:34.9961 UiPath.IdentityServer.Web.Application.Services.UserService Found no directory user — in partition 1
DirectoryAdapterExceptionDomainUnreachable at UiPath.IdentityServer.Directory.LdapAD.LdapConnectionCache.GetLdapDomainConfig(LdapConfig config, String domainName)
at UiPath.IdentityServer.Directory.LdapAD.MsLdapDriver.RetryAsync[T](String domainName, Func`2 action)
at UiPath.IdentityServer.Directory.LdapAD.MsLdapDriver.GetEntityWithRetryAsync(String domainName, String ldapFilter, DirectoryEntityType entityType, CancellationToken cancellationToken)
at UiPath.IdentityServer.Directory.LdapAD.LdapADAdapter.ResolveByNameAsync(String entityName, DirectoryEntityType entityType, CancellationToken cancellationToken)
at UiPath.IdentityServer.Web.Application.Services.UserService.ConvertADLoginToDirectoryUserAsync(ExternalLoginInfo info)

==================
Do you think after configuring the AD authentication from the article:Configuring the Active Directory integration

Should we manually import the AD users?
Also I guess the To integrate with Windows Active Directory (AD) and use Windows Authentication, LDAP port 389 must be accessible on one or more domain controllers in your domain.Do you know how do we check this port availability using cmd?

8

Importing and “Syncing” of Domain Users and Groups was an aspect of Windows Authentication with Orchestrator 2018 and 2019. With 2020 onwards this has been improved with the implementation of Identity Service and the additional Authentication options you have available to configure.

So first it is not clear to me which method you have configured and whether or not you have configured Orchestrator, Identify Service, or both.

When you login to Orchestrator and Identity Management, you two separate layers, (sometimes referred to as organizations or Tenants) HOST Tenant (Host level) and your Tenant(s) (Out-of-Box called Default).

  • HOST Tenant you have the option of configuring [Google, Windows Authentication, Azure AD, SAML 2.0]
  • Other Tenants you have the options of configuring Azure Active Directory

Tenant

image
image1576×497 38.7 KB

Host

image
image1568×715 59.2 KB

Here you can see what the Login Screen looks like at the Host Level when I have Windows Authentication, SAML and Azure AD, and Basic/Local Auth configured.

image

Or in the case of a Tenant (Default in this case) with Azure AD configured, it introduces “Enterprise SSO”

image
image421×627 14.9 KB

The above details are taken from a 2021 installation, so there may be variation if you are on 2022. In addition to that my main server is still 2020 in which we also need to configure Orchestrator to be able to query Active Directory to map the Authenticated Identity to a User Profile in Orchestrator as described in Enabling Windows Authentication WindowsAuth.Enabled and WindowsAuth.Domain Keys (minus the External Providers on the Identity Management part) so that you can still manually add/manage Domain Users/Groups.

This may or may not be needed depending on your intended configuration and what version of Orchestrator you are using. And if using straight up Windows Authentication LDAP 389 / LDAPS 636 (Default ports need to be opened to the Domain Controllers/AD)

9

I am receiving the following error in Event Viewer when trying to log into Orchestrator using Windows Active Directory:

UiPath.IdentityServer.Web.Application.Services.UserService Found no directory user — in partition 1
DirectoryAdapterExceptionDomainUnreachable at UiPath.IdentityServer.Directory.LdapAD.LdapConnectionCache.GetLdapDomainConfig(LdapConfig config, String domainName)

Does anybody have a solution for this?

11

Please provide specifics about your configuration

  • Which Authentication Integration you are using
  • Details on the steps you went through during configuration
  • Steps to replicate it
12
  1. I am using Windows Authentication integration
  2. I have
    • Configured IIS on the server by enabling Windows Authentication
    • I have configured useAppPoolCredentials to be True for Windows Authentication
    • I have Configured Active Directory in Orchestrator by checking the “Enabled” box
    • I have made sure the defaultPath for httpErrors on the server is unlocked
    • I have ATTEMPTED to change the Config file but I don’t see a parameter for “WindowsAuth.Enabled” or “WindowsAuth.Domain”
  3. I am not sure what you mean by steps to replicate it
13

Hi @jpreziuso & @Swapnil_Kadam,

Part of this is you haven’t indicated what version of Orchestrator you are using. You need to refer to the documentation for your specific version. After which if you are still having troubles, you need to advise the community of specifics you have configured, and any errors, etc.

You’ve posted a handful of separate topics in the forums, but each one is loosely related, but district challenges and solutions. However the context can between them can be relevant and not providing the information can make it challenging for others to assist you.

The last error mentioned is

Have you addressed this yet?

The last two posts are out of order, they were identified as a duplicate topic and as such merged in with this topic thread.

As I mentioned in my earlier post, “…The above details are taken from a 2021 installation, so there may be variation if you are on 2022. In addition to that my main server is still 2020…”

So assuming you are using Orchestrator 2022, you can look at the latest documentation and you can see these configuration parameters have been removed

  • Improving the Identity Server - Orchestrator integration has resulted in replacing and removing several parameters in UiPath.Orchestrator.dll.config.
  • we replaced WindowsAuth.GroupMembershipCacheExpireHours with IdentityServer.GroupMembershipCacheExpireHours. Upon upgrading to 2022.4+, WindowsAuth.GroupMembershipCacheExpireHours is removed. To specify the Identity Server group membership cache, use IdentityServer.GroupMembershipCacheExpireHours.
    ? * we removed the following parameters: ExternalAuth.AzureAD.Enabled, ExternalAuth.AzureAD.ApplicationId, ExternalAuth.AzureAD.RedirectUri, ExternalAuth.Saml2.Enabled, ExternalAuth.UserMappingStrategy, ExternalAuth.UserIdentifierClaim , ExternalAuth.Google.Enabled, ExternalAuth.Google.ClientId, ExternalAuth.Google.ClientSecret, WindowsAuth.Enabled, and WindowsAuth.Domain. You can now configure external identity providers for the host only after installation, from the host Management portal.
    ? * we also removed the WINDOWS_AUTHENTICATION and DOMAIN command line parameters. You can now enable Active Directory only after installation, from the host Management portal.

I would suggest reading through the documentation about Identity Server and setting up External Authentication