Orchestrator on prem 2021.10 : AD issues

Help Orchestrator
, ,
1

Hello there,

I can’t use my on prem orchestrator version 2021.10 (under enterprise licence…) as i can’t join AD for an unknown reason.
dll.conf file was updated as expected (auth part, for windows.auth.enabled/domain values)

But i can only add local user…
In https://(orchestratorURL)/identity/management/authsettings, i ONLY see Azure active diretory as eternal provider, no active directory as i’m supposed to see (decribed here : Configuring the Active Directory integration)

anyone has an idea?
Many thanks by advance,
regards

2

i realized i was login in on host tenant (but default)… :frowning:
Then i see AD in auth settings, but after entering datas, end up with Failed to configure Active Directory. The configuration is invalid…

If someone know how to get more debug log, nothing appears in event viewer

3

and actually i found this in event vieer but without any indication nowhere on the web

UiPath.IdentityServer.Web.Middleware.ExceptionHandlingMiddleware Strong authentication is required for this operation.

i’m still on NTLM, if has an idea.

4

Hi florian, you’ll need to switch from NLTM to Kerberos auth. Full instructions for Windows AD authentication can be found here, definitely worth a look in case you’re missing any other tidbits: Configuring the Active Directory integration

1 Like
5

There are two pieces to this

  1. Configuring Orchestrator with Windows Auth in the UiPath.Orchestrator.dll.config with the WindowsAuth.Enabled and WindowsAuth.Domain Keys.

    This is what allows you to Add Directory Users or Groups

  2. Configuring Identity Service to configure User Authentication (Google, Windows, AzureAD, Saml2) which as you discovered is done by logging into the Identity Service using the host tenant to configure.

Each of these is independent of each other at this time. You can configure Orchestrator without Identity and vice versa, or you may choose to use SAML2 instead of WindowsAuth, but to make it worthwhile [imo] as sending Groups via the SAML claims as an example is not currently an available feature.

So I would tackle each of this one at a time and not jump back and forth.

For Orchestrator do you see any errors in the Event Logs > Windows Logs > Application filtered for source=Orchestrator?

Can you clarify if you are talking about Orchestrator / Identity from being able to communicate with the Domain Controller / Active Directory, or if you are speaking of the Server itself you are unable to join the machine to the domain? If there were troubles joining, discovering, or communicating with the domain I would expect to see errors/exceptions being thrown by Orchestrator in the above mentioned logs.

6

thanks for your replies.
Actually i don’t see anything in app log from EV, i guess i would need to trigger an error to make it happen.
What is confusing to me, is that in identity i can only add user. I was expecting a “add user from AD” button or something showing i can search from AD. I don’t even know where i can add user by searching from AD like in previous version, where you just had to type first letters and system was giving you a list of users from AD starting by this etc.

Server itself can communicate with domain, no issue to look for users anywhere else on the system. i can resolve primary controller too.

But there might be somehting wrong with SPF, as when i try to register kerberos, i receive access denied results (even if i’m administrator running shell as admin)

I’ll try to get in touch with IT to have a look on services required in AD for my user, and revert back.

But thanks again for your feedback.

7

Registering SPNs is restricted in many organisations, your Active Directory admins can help you. It’s something I’ve just realised. :roll_eyes:

@codemonkee Tim, is that something which is worth mentioning in the Orchestrator docs?

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.