Starting a workflow as a different user

chrisspring · January 23, 2019, 12:32pm

Hi
I’m running our unattended robots as services with an active directory service account. Some web applications have a login screen but others use the AD account of the logged in user.

We either give the robots service account rights to the web application.
Register multiple robots on Orchestrator, effectively one for each process
Find a way of running the browser as a particular user e.g Start Process “Run as”

1 - The service account will have too many permissions as it would need the rights of any process at any level on the web application.
2 - We would have to change to concurrent licensing for unattended and the number of processes involved would make it unmanageable to register the same robot for multiple processes.
3 - Is by far the most ideal option but all it seems to do is start up a brief dos window and closes again

any option 4’s out there?

thanks
Chris

tmays · September 26, 2019, 4:00pm

Hey @chrisspring . So what did you decide on? I have a number of cases with different web accounts and some AD bot service accounts accessing files and folders across our network.

I’d like to be able to start/end an impersonation with two invoke code activities and use some UiPath activities in between those two. Wrapped in some sort of scope maybe.

Just curious on if you’d come up with any best practices.

Thanks!

Troy

chrisspring · September 26, 2019, 4:22pm

Hi Troy

No real solution except force the browser to request AD credentials with a popup and automated that injection of the username and password. Running a RunAs does help as you all you will reference is the RunAs container process and not the browser inside. If there was a way to reference the child process that would be ideal.

tmays · September 26, 2019, 5:51pm

Thanks Chris.

Yeah that’s pretty much where I’m at. If I run across a good solution for impersonation (esp with AD accounts for me) I’ll post.

Have a good one.

Troy

jfarnden · September 27, 2019, 12:38am

Your option 3 is the correct approach.
Check out this article for full instructions with screenshot to create a shortcut.
You will need to enter the password manually into the command prompt window at least once, but can add parameters (i think it’s /savecred after the username) to save it for future use.
I’ve used this myself on Internet Explorer previously.
The only difficulty in using uiPath is that you will need to click on the shortcut, or assign it a shortcut key to make sure the correct shortcut is being opened.

chrisspring · September 27, 2019, 6:44am

I tried that but the problem is when IE loads up you don’t have access to the ui elements. The command prompt is the parent process not IE as the sub process, so the only way to do it this way is to screen scrape IE.

tmays · September 30, 2019, 9:10pm

Hi @jfarnden

I’ve used runas for some other processes (e.g. calling a powershell script with another user) but as @chrisspring put it not quite the same for browser work.

My issue right now is how to run UiPath activities as another user. My current, albeit untested, thought is using something like the SimpleImpersonation nuget library and calling a separate workflow with desired activities from within the code. Invoke Code with…

> var credentials = new UserCredentials(domain, username, password);
> Impersonation.RunAsUser(credentials, logonType, () =>
> {
>     // do whatever you want as this user.
>     // *** INVOKE WORKFLOW HERE ***
> })

Just need to figure out how to invoke workflow in VB or C# to test.

Any thoughts on this method?

Troy

Update 1) Wonder if it could be this easy? WorkflowInvoker.Invoke

Update 2) Not that easy. Problems when dynamically invoke an activity in Invoke Code

jfarnden · October 1, 2019, 6:07am

I have managed to use activities like message box in code, but i couldn’t get the invoke workflow to work as there was a null error trying to set up all the pieces.
I’ve attached the sample i was working with if you want to keep trying.
TestActivitiesInInvokeCode.zip (2.2 KB)
I think it’s missing some kind of context variable.
Maybe this is something we could get in a request on the user voice section of the forum for a future release.

jfarnden · October 1, 2019, 6:24am

As a side option - do you have any spare server vms you could use and do the second set of tasks using the remote desktop and remote desktop uipath plugins? Then you could use the remote desktop as the second user. It seems like complete overkill, but if it works for now.
If you have multiple robot server OS vms you could probably use one of them while a robot is running because it’s a different account connecting.

chrisspring · October 1, 2019, 9:02am

That would probably work but it does seem like fundamental functionality that should be in UIPath. Potentially having a new robot for each process is a massive support overhead. Either accessing a website as a different AD account or network drives.

tmays · October 1, 2019, 3:21pm

Thanks @jfarnden for giving it a shot. That’s about where I am.

I do have additional vms @chrisspring if needed and have considered running different bots under different accounts but that would be a headache. Some of our automations grab network data from across departments and systems just started insisting we use different bot accounts for each department so being able to invoke a workflow under a different account would be great.

As for now I can impersonate a departmental user and just run everything in code (as opposed to UiPath activities) within the Invoke Code block.

Hard to believe that others aren’t running into this. I must be missing a better way.

Still open to more ideas though.

Cheers.

Troy

jfarnden · October 2, 2019, 7:19am

You could also write a custom activity if you have to do it all in code anyway - which may be a bit cleaner than 300 lines in the Invoke Code activity, and easier to keep versioned.

For the user login, I mean have one robot process running with a service account on a dedicated server machine like normal, then let that robot open up remote desktop from the robot machine to a second machine as the AD user - that way you could technically be any AD user (provided they have remote access permissions enabled). It’s definitely janky, but it might get you through for now.

We have two server VMs and two robots in one environment, but my AD user can still login to the machines while the robot is using them. The robot uses a service account and the console login, but my remote desktop session uses the normal login and a different ad account. So you could have robot1 on machine1 doing a task, then have robot 2 on machine2 remote into machine1 using the specified second (person specific) AD account and use the remote desktop session to perform the actions as that user - and get all their personalized settings like mapped network drives. You just need to make sure the machine has the remote desktop uipath extension installed so it will pass back the selectors. I haven’t tried this yet, but in theory it could work.

tmays · October 2, 2019, 1:14pm

Thanks for the ideas @jfarnden. The two automations I’m working on now are mainly file operations and should be easy to code. A dozen lines or so. I was mainly thinking of how I want to handle this in the future if I have a larger workflow and, you know, just to learn how.

But you did get me thinking about creating a custom activity.

Thanks again.

Troy