I have made some progress trying to integrate Windows Active Directory with Orchestrator. Now when I click to sign in using Windows credentials, I receive the following error.
Next step would be to review Logs in the Windows Event Viewer > Windows Logs > Application to get the full error message and go from there. Depending on your Orchestrator version (Assuming >2020) you can Filter the Event Sources to IdentityService, Orchestrator, Orchestrator.BusinessException, WebhookService for the sources related to the Orchestrator Installation.
If you can detail the steps you have taken in your setup for Integrating Windows AD with Orchestrator as well as what version of Orchestrator you are using, that would be helpful for other to offer suggestions.
You can also inspect your Browser’s Network traffic to see which call here is failing, I believe it is the /api/DirectoryService/GetDomains endpoint, which you could use to replicate the issue without having to reproduce the steps via the Web UI.
Thank you for the response. I am having trouble finding the error log in the even viewer after a failed login. Is it possible you could post some screenshots on how to filter to Orchestrator
Please try and stick posting an ask once as I see you opened a new topic specific to the Cortana Error.
It is also helpful as you Ask and Resolve each individual problem if they are related to reference the other posts, so those helping have context for what you have done thus far in your journey to configure Orchestrator.
@codemonkee : Hi, I work with @jpreziuso
This is the error in Event Viewer:
2022-08-17 11:16:34.9961 UiPath.IdentityServer.Web.Application.Services.UserService Found no directory user — in partition 1
DirectoryAdapterExceptionDomainUnreachable at UiPath.IdentityServer.Directory.LdapAD.LdapConnectionCache.GetLdapDomainConfig(LdapConfig config, String domainName)
at UiPath.IdentityServer.Directory.LdapAD.MsLdapDriver.RetryAsync[T](String domainName, Func`2 action)
at UiPath.IdentityServer.Directory.LdapAD.MsLdapDriver.GetEntityWithRetryAsync(String domainName, String ldapFilter, DirectoryEntityType entityType, CancellationToken cancellationToken)
at UiPath.IdentityServer.Directory.LdapAD.LdapADAdapter.ResolveByNameAsync(String entityName, DirectoryEntityType entityType, CancellationToken cancellationToken)
at UiPath.IdentityServer.Web.Application.Services.UserService.ConvertADLoginToDirectoryUserAsync(ExternalLoginInfo info)
Should we manually import the AD users?
Also I guess the To integrate with Windows Active Directory (AD) and use Windows Authentication, LDAP port 389 must be accessible on one or more domain controllers in your domain.Do you know how do we check this port availability using cmd?
Importing and “Syncing” of Domain Users and Groups was an aspect of Windows Authentication with Orchestrator 2018 and 2019. With 2020 onwards this has been improved with the implementation of Identity Service and the additional Authentication options you have available to configure.
So first it is not clear to me which method you have configured and whether or not you have configured Orchestrator, Identify Service, or both.
When you login to Orchestrator and Identity Management, you two separate layers, (sometimes referred to as organizations or Tenants) HOST Tenant (Host level) and your Tenant(s) (Out-of-Box called Default).
HOST Tenant you have the option of configuring [Google, Windows Authentication, Azure AD, SAML 2.0]
Other Tenants you have the options of configuring Azure Active Directory
Here you can see what the Login Screen looks like at the Host Level when I have Windows Authentication, SAML and Azure AD, and Basic/Local Auth configured.
Or in the case of a Tenant (Default in this case) with Azure AD configured, it introduces “Enterprise SSO”
The above details are taken from a 2021 installation, so there may be variation if you are on 2022. In addition to that my main server is still 2020 in which we also need to configure Orchestrator to be able to query Active Directory to map the Authenticated Identity to a User Profile in Orchestrator as described in Enabling Windows AuthenticationWindowsAuth.Enabled and WindowsAuth.Domain Keys (minus the External Providers on the Identity Management part) so that you can still manually add/manage Domain Users/Groups.
This may or may not be needed depending on your intended configuration and what version of Orchestrator you are using. And if using straight up Windows Authentication LDAP 389 / LDAPS 636 (Default ports need to be opened to the Domain Controllers/AD)
I am receiving the following error in Event Viewer when trying to log into Orchestrator using Windows Active Directory:
UiPath.IdentityServer.Web.Application.Services.UserService Found no directory user — in partition 1
DirectoryAdapterExceptionDomainUnreachable at UiPath.IdentityServer.Directory.LdapAD.LdapConnectionCache.GetLdapDomainConfig(LdapConfig config, String domainName)
Part of this is you haven’t indicated what version of Orchestrator you are using. You need to refer to the documentation for your specific version. After which if you are still having troubles, you need to advise the community of specifics you have configured, and any errors, etc.
You’ve posted a handful of separate topics in the forums, but each one is loosely related, but district challenges and solutions. However the context can between them can be relevant and not providing the information can make it challenging for others to assist you.
The last error mentioned is
Have you addressed this yet?
The last two posts are out of order, they were identified as a duplicate topic and as such merged in with this topic thread.
As I mentioned in my earlier post, “…The above details are taken from a 2021 installation, so there may be variation if you are on 2022. In addition to that my main server is still 2020…”
So assuming you are using Orchestrator 2022, you can look at the latest documentation and you can see these configuration parameters have been removed
Improving the Identity Server - Orchestrator integration has resulted in replacing and removing several parameters in UiPath.Orchestrator.dll.config.
we replaced WindowsAuth.GroupMembershipCacheExpireHours with IdentityServer.GroupMembershipCacheExpireHours. Upon upgrading to 2022.4+, WindowsAuth.GroupMembershipCacheExpireHours is removed. To specify the Identity Server group membership cache, use IdentityServer.GroupMembershipCacheExpireHours.
? * we removed the following parameters: ExternalAuth.AzureAD.Enabled, ExternalAuth.AzureAD.ApplicationId, ExternalAuth.AzureAD.RedirectUri, ExternalAuth.Saml2.Enabled, ExternalAuth.UserMappingStrategy, ExternalAuth.UserIdentifierClaim , ExternalAuth.Google.Enabled, ExternalAuth.Google.ClientId, ExternalAuth.Google.ClientSecret, WindowsAuth.Enabled, and WindowsAuth.Domain. You can now configure external identity providers for the host only after installation, from the host Management portal.
? * we also removed the WINDOWS_AUTHENTICATION and DOMAINcommand line parameters. You can now enable Active Directory only after installation, from the host Management portal.
I would suggest reading through the documentation about Identity Server and setting up External Authentication