Unable to use Windows AD Authentication with LDAP

Hello!

I deployed Automation Suite into one of our test labs.

Automation Suite and features all seem to be functioning correctly. ArgoCD states all applications are healthy.

The is stemming when attempting to login as a Windows AD user.

The test domain has been in place, and authentication has been working as expected when using Orchestrator on a Windows Server.

Now with Automation Suite, with the Windows AD settings configued to use either unencrypted LDAP or LDAP with SSL, the authentication fails with the following error:
{“StatusCode”:500,“StatusDescription”:“InternalServerError”,“Message”:“GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Keytab FILE:/UiPath/krb5/krb5.keytab is nonexistent or empty).”}

When connecting AD, users can be imported from AD along with AD groups.

I was under the impression the keytab file is only required for Kerberos Authentication, which we are not implementing, as the domain is isolated, and workstations are not joined to that test domain.

Upon changing the AD integration the identity-service-api gets restarted.

Any additional troubleshooting steps would be great.

Output from the identity-service-api pod is as follows:
2023-02-15 17:40:58.6272 Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler An exception occurred while processing the authentication request.
62
GssApiExceptionGSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Keytab FILE:/UiPath/krb5/krb5.keytab is nonexistent or empty). at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
61
2023-02-15 17:40:58.6275 UiPath.IdentityServer.Web.Startup Windows authentication failed with exception.
60
GssApiExceptionGSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Keytab FILE:/UiPath/krb5/krb5.keytab is nonexistent or empty). at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
59
2023-02-15 17:40:58.6275 UiPath.IdentityServer.Web.Middleware.ExceptionHandlingMiddleware GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Keytab FILE:/UiPath/krb5/krb5.keytab is nonexistent or empty).
58
GssApiExceptionGSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information (Keytab FILE:/UiPath/krb5/krb5.keytab is nonexistent or empty). at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
57

@Aaron_Tennant if you are wanting to use Window AD Authentication you must use Kerberos. That is why you are getting the error message about the keytab file. This link explains it the best.

External Provider Integration Authentication Directory Search Administrators Provisioning
Active Directory and Windows Authentication Administrators can use SSO with Windows Authentication using the Kerberos protocol Administrators can search for users from the Active Directory For a user to be able to login, either the user or a group that the user is a member of should already be added to Automation Suite. Active Directory users and groups are available in Automation Suite through directory search.
Azure Active Directory Administrators can use SSO with Azure AD using the OpenID Connect protocol Not supported Users must be manually provisioned into the Automation Suite. with an email address matching their Azure AD account.
Google Users can use SSO with Google using the OpenID Connect protocol Not supported Users must be manually provisioned into the Automation Suite organization with an email address matching their Google account.
SAML 2.0 Users can use SSO with any Identity Provider that supports SAML Not supported Users must be manually provisioned into the Automation Suite organization with a username/email/external provider key (as configured in their external identity provider configuration) matching their SAML account.

Hi @Aaron_Tennant,
Did you found any soluation for this issue as i am facing the same issue

Hello Mahmoud,

I ditched trying to use LDAP and went with the Kerberos setup.

Aaron