automation-suite
2023.10
false
- Overview
- Requirements
- Deployment templates
- Manual: Preparing the installation
- Manual: Preparing the installation
- Step 2: Configuring the OCI-compliant registry for offline installations
- Step 3: Configuring the external objectstore
- Step 4: Configuring High Availability Add-on
- Step 5: Configuring SQL databases
- Step 6: Configuring the load balancer
- Step 7: Configuring the DNS
- Step 8: Configuring the disks
- Step 9: Configuring kernel and OS level settings
- Step 10: Configuring the node ports
- Step 11: Applying miscellaneous settings
- Step 12: Validating and installing the required RPM packages
- Step 13: Generating cluster_config.json
- Certificate configuration
- Database configuration
- External Objectstore configuration
- Pre-signed URL configuration
- Kerberos authentication configuration
- External OCI-compliant registry configuration
- Disaster recovery: Active/Passive and Active/Active configurations
- High Availability Add-on configuration
- Orchestrator-specific configuration
- Insights-specific configuration
- Process Mining-specific configuration
- Document Understanding-specific configuration
- Automation Suite Robots-specific configuration
- Monitoring configuration
- Optional: Configuring the proxy server
- Optional: Enabling resilience to zonal failures in a multi-node HA-ready production cluster
- Optional: Passing custom resolv.conf
- Optional: Increasing fault tolerance
- install-uipath.sh parameters
- Adding a dedicated agent node with GPU support
- Adding a dedicated agent Node for Task Mining
- Connecting Task Mining application
- Adding a Dedicated Agent Node for Automation Suite Robots
- Step 15: Configuring the temporary Docker registry for offline installations
- Step 16: Validating the prerequisites for the installation
- Manual: Performing the installation
- Post-installation
- Cluster administration
- Managing products
- Getting Started with the Cluster Administration portal
- Migrating objectstore from persistent volume to raw disks
- Migrating from in-cluster to external High Availability Add-on
- Migrating data between objectstores
- Migrating in-cluster objectstore to external objectstore
- Migrating from in-cluster registry to an external OCI-compliant registry
- Configuring the FQDN post-installation
- Setting up Kerberos authentication
- Setting up Elasticsearch and Kibana
- Forwarding application logs to external tools
- Switching to the secondary cluster manually in an Active/Passive setup
- Disaster Recovery: Performing post-installation operations
- Converting an existing installation to multi-site setup
- Guidelines on upgrading an Active/Passive or Active/Active deployment
- Guidelines on backing up and restoring an Active/Passive or Active/Active deployment
- Redirecting traffic for the unsupported services to the primary cluster
- Scaling a single-node (evaluation) deployment to a multi-node (HA) deployment
- Monitoring and alerting
- Migration and upgrade
- Step 1: Moving the Identity organization data from standalone to Automation Suite
- Step 2: Restoring the standalone product database
- Step 3: Backing up the platform database in Automation Suite
- Step 4: Merging organizations in Automation Suite
- Step 5: Updating the migrated product connection strings
- Step 6: Migrating standalone Orchestrator
- Step 7: Migrating standalone Insights
- Step 8: Migrating standalone Test Manager
- Step 9: Deleting the default tenant
- Performing a single tenant migration
- Migrating from Automation Suite on Linux to Automation Suite on EKS/AKS
- Upgrading Automation Suite
- Downloading the installation packages and getting all the files on the first server node
- Retrieving the latest applied configuration from the cluster
- Updating the cluster configuration
- Configuring the OCI-compliant registry for offline installations
- Executing the upgrade
- Performing post-upgrade operations
- Product-specific configuration
- Using the Orchestrator Configurator Tool
- Configuring Orchestrator parameters
- Orchestrator appSettings
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Best practices and maintenance
- Troubleshooting
- How to troubleshoot services during installation
- How to uninstall the cluster
- How to clean up offline artifacts to improve disk space
- How to clear Redis data
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to disable streaming logs for AI Center
- How to debug failed Automation Suite installations
- How to delete images from the old installer after upgrade
- How to disable TX checksum offloading
- How to upgrade from Automation Suite 2022.10.10 and 2022.4.11 to 2023.10.2
- How to manually set the ArgoCD log level to Info
- How to expand AI Center storage
- How to generate the encoded pull_secret_value for external registries
- How to address weak ciphers in TLS 1.2
- How to work with certificates
- How to forward application logs to Splunk
- How to clean up unused Docker images from registry pods
- How to collect DU usage data with in-cluster objectstore (Ceph)
- How to install RKE2 SELinux on air-gapped environments
- How to clean up old differential backups on an NFS server
- Unable to run an offline installation on RHEL 8.4 OS
- Error in downloading the bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- First installation fails during Longhorn setup
- SQL connection string validation error
- Prerequisite check for selinux iscsid module fails
- Azure disk not marked as SSD
- Failure after certificate update
- Antivirus causes installation issues
- Automation Suite not working after OS upgrade
- Automation Suite requires backlog_wait_time to be set to 0
- Volume unable to mount due to not being ready for workloads
- Support bundle log collection failure
- Test Automation SQL connection string is ignored
- DNS settings not honored by CoreDNS
- Data loss when reinstalling or upgrading Insights following Automation Suite upgrade
- Single-node upgrade fails at the fabric stage
- Cluster unhealthy after automated upgrade from 2021.10
- Upgrade fails due to unhealthy Ceph
- RKE2 not getting started due to space issue
- Volume unable to mount and remains in attach/detach loop state
- Upgrade fails due to classic objects in the Orchestrator database
- Ceph cluster found in a degraded state after side-by-side upgrade
- Unhealthy Insights component causes the migration to fail
- Service upgrade fails for Apps
- In-place upgrade timeouts
- Docker registry migration stuck in PVC deletion stage
- AI Center provisioning failure after upgrading to 2023.10 or later
- Upgrade fails in offline environments
- SQL validation fails during upgrade
- snapshot-controller-crds pod in CrashLoopBackOff state after upgrade
- Longhorn REST API endpoint upgrade/reinstall error
- Upgrade fails due to overridden Insights PVC sizes
- Service upgrade fails during pre-service script execution
- Setting a timeout interval for the management portals
- Authentication not working after migration
- Kinit: Cannot find KDC for realm <AD Domain> while getting initial credentials
- Kinit: Keytab contains no suitable keys for *** while getting initial credentials
- GSSAPI operation failed due to invalid status code
- Alarm received for failed Kerberos-tgt-update job
- SSPI provider: Server not found in Kerberos database
- Login failed for AD user due to disabled account
- ArgoCD login failed
- Update the underlying directory connections
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis probe failure
- RKE2 server fails to start
- Secret not found in UiPath namespace
- ArgoCD goes into progressing state after first installation
- Unhealthy services after cluster restore or rollback
- Pods stuck in Init:0/X
- Missing Ceph-rook metrics from monitoring dashboards
- Pods cannot communicate with FQDN in a proxy environment
- Failure to configure email alerts post upgrade
- No healthy upstream issue
- Failure to add agent nodes in offline environments
- Accessing FQDN returns RBAC: access denied error
- Document Understanding not on the left rail of Automation Suite
- Failed status when creating a data labeling session
- Failed status when trying to deploy an ML skill
- Migration job fails in ArgoCD
- Handwriting recognition with intelligent form extractor not working
- Failed ML skill deployment due to token expiry
- Running High Availability with Process Mining
- Process Mining ingestion failed when logged in using Kerberos
- After Disaster Recovery Dapr is not working properly for Process Mining
- Configuring Dapr with Redis in cluster mode
- Unable to connect to AutomationSuite_ProcessMining_Warehouse database using a pyodbc format connection string
- Airflow installation fails with sqlalchemy.exc.ArgumentError: Could not parse rfc1738 URL from string ''
- How to add an IP table rule to use SQL Server port 1433
- Automation Suite certificate is not trusted from the server where CData Sync is running
- Running the diagnostics tool
- Using the Automation Suite support bundle
- Exploring Logs
- Exploring summarized telemetry
Automation Suite on Linux installation guide
Last updated Mar 26, 2026
Setting up Kerberos authentication
Prerequisites
To successfully set up Kerberos authentication, you must meet the following prerequisites:
- Ensuring the Automation Suite cluster can access your AD
- Configuring the AD service account for Kerberos authentication
- Optional: SQL authentication prerequisites
Ensuring the Automation Suite cluster can access your AD
Before you can configure Kerberos authentication, work with your IT administrators to ensure the Automation Suite cluster can access your AD.
The following requirements must be met:
- Automation Suite cluster must be on the same network as the AD domain;
- DNS must be set up correctly on the network so that the Automation Suite cluster can resolve the AD domain names.
Note:
It is critical that the Automation Suite cluster can resolve the AD
domain names. You can verify this by runningnslookup <AD domain name>on the host machine.
Configuring the AD service account for Kerberos authentication
Generating Kerberos default keytab and username parameters
Option 1: by Running the script (recommended)
- Log in with your AD administrator account on a Windows domain-joined machine.
- Run the keytab-creator.ps1 script as administrator.
- Input the following values to the script:
Service Fabric FQDN. For example,uipath-34i5ui35f.westeurope.cloudapp.azure.com.AD domain FQDN. For example,TESTDOMAIN.LOCAL.- An AD user account. You can use an existing account, such as
sAMAccountName, or you can allow the script to create a new one.
The output file contains the <KERB_DEFAULT_USERNAME> and <KERB_DEFAULT_KEYTAB> parameters required by the Kerberos setup.
Option 2: Manually
Reach out to your AD administrator for an AD user account, and retrieve the <KERB_DEFAULT_USERNAME> and <KERB_DEFAULT_KEYTAB> for that account as follows:
-
In your AD Server, create a new user account. If you already have one, skip to step 2.
- In the Active Directory Users and Computers console, right-click the Users folder, select New, and then select User.
- Finish creating the user account.
-
Right-click the user account and select Properties.
-
Go to the Account tab, then under Account options, select This account supports Kerberos AES 256 bit encryption.
-
Important: The keytab generated in the next steps will become invalid if the AD user's password is expired or updated. Consider checking Password never expires under Account options for this AD user account. Alternatively, you can update the password when it is about to expire and generate a new keytab.
-
To generate a keytab file for the SPN, open PowerShell with admin access and execute the following command:
ktpass -princ HTTP/<Service Fabric FQDN>@<AD FQDN in cap> -pass <AD user's password> -mapuser <AD NetBIOS name in cap>\<AD user name> -pType KRB5_NT_PRINCIPAL -out <output file path> -crypto AES256-SHA1ktpass -princ HTTP/<Service Fabric FQDN>@<AD FQDN in cap> -pass <AD user's password> -mapuser <AD NetBIOS name in cap>\<AD user name> -pType KRB5_NT_PRINCIPAL -out <output file path> -crypto AES256-SHA1Some fields must be specified in uppercase. For example:
ktpass -princ HTTP/uipath-34i5ui35f.westeurope.cloudapp.azure.com@TESTDOMAIN.LOCAL -pass pwd123 -mapuser TESTDOMAIN\aduser -pType KRB5_NT_PRINCIPAL -out c:\krb5.keytab -crypto AES256-SHA1 -setpassktpass -princ HTTP/uipath-34i5ui35f.westeurope.cloudapp.azure.com@TESTDOMAIN.LOCAL -pass pwd123 -mapuser TESTDOMAIN\aduser -pType KRB5_NT_PRINCIPAL -out c:\krb5.keytab -crypto AES256-SHA1 -setpassNote:To update the keytab for Automation Suite, run the command with the
-setpassoption. The first time you generate the keytab, you must run the command as a domain administrator. This is required because the command updates the service account's SPN. For later updates, you can run the command as the domain user if the SPN mapping hasn't changed.After the keytab generation, the user logon name changes to
HTTP/<Service Fabric FQDN>. Use this value for the<KERB_DEFAULT_USERNAME>field in thedefault_ad_usernameincluster_config.jsonas follows:"kerberos_auth_config": { "enabled": true, "ticket_lifetime_in_hour": 8, "ad_domain": "AUTOSUITEAD.LOCAL", "default_ad_username": "HTTP/sfqakxxxx-ea.infra.uipath-dev.com", "default_user_keytab": "BQIAAAB9AAIxxxxxxxxxxxxxxxxxxGRCqh+yQ=" "enable_integrated_sql_auth": true },"kerberos_auth_config": { "enabled": true, "ticket_lifetime_in_hour": 8, "ad_domain": "AUTOSUITEAD.LOCAL", "default_ad_username": "HTTP/sfqakxxxx-ea.infra.uipath-dev.com", "default_user_keytab": "BQIAAAB9AAIxxxxxxxxxxxxxxxxxxGRCqh+yQ=" "enable_integrated_sql_auth": true },Note:The
enable_integrated_sql_authparameter is set totrueby default. If you want to disable Kerberos authentication for SQL for all products, you must set the parameter tofalse. -
Encode the generated keytab file in Base64, open PowerShell, and execute the following command:
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>")) -
Save the encoded keytab file. You will use it when configuring the UiPath® cluster for Kerberos. Let's call the value from step 6
<KERB_DEFAULT_KEYTAB>.
Optional: SQL authentication prerequisites
To configure the UiPath® cluster to connect to SQL using Windows integrated authentication/Kerberos, you need to perform a few additional steps:
- the SQL server must join the AD domain;
- the Automation Suite cluster must be on the same network as the SQL Server;
- the Automation Suite cluster can resolve the AD and SQL servers` domain names;
- the AD user must have access to SQL server and DB permissions.
To create a new login in SQL Server Management Studio, take the following steps:
a. In the Object Explorer panel, navigate to Security > Logins.
b. Right-click the Logins folder and select New Login. The Login - New window is displayed.
c. Select the Windows Authentication option. The window is updated accordingly.
d. In the Login name field, type the user domain you want to use as a service account.
e. From the Default Language list, select English.
Important:
Ensure that the Default Language is set to English. If it isn't, the website cannot start, and the Event Viewer on the computer on which Orchestrator is installed displays the following error message: "The conversion of a varchar data type to a datetime data type resulted in an out of range value".
f. Select OK. Your configurations are saved.
If the service account has already been created and added to the Security > Logins section of the SQL Server, please check whether the Default Language of that SQL account is set to English. If it isn't, please make the necessary adjustments.
You need to provide the user connecting to the SQL database with the db_owner user mapping role, as in the following screenshot.
If security restrictions do not allow you to use the db_owner user mapping role with the UiPath® login, grant the following permissions:
-
db_datareader -
db_datawriter -
db_ddladmin -
EXECUTEpermission ondboschema
The EXECUTE permission has to be granted by using the GRANT EXECUTE SQL command, as follows:
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\)\)user]
GO
USE UiPath
GO
GRANT EXECUTE ON SCHEMA::dbo TO [domain\)\)user]
GO
If you want UiPath® applications to use unique AD user accounts to connect to SQL using Integrated Security=True, you need to create a unique keytab for each UiPath® application, as follows. This will be referred to as <KERB_APP_KEYTAB> for that application.
Generating Kerberos application keytab and username parameters
Option 1: by Running the script (recommended)
- Run the service-keytab-creator.ps1 script.
- Input the following values to the script:
AD domain FQDN. For example,TESTDOMAIN.LOCAL.- The username and password of an AD user account. For example, the AD user account
sAMAccountNameand its password.
The output file contains the <KERB_APP_USERNAME> and <KERB_APP_KEYTAB> parameters required by Kerberos.
Option 2: Manually
Run the following script manually:
# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
# Generate keytab file and output it in the desired path
ktpass /princ <AD username>@<AD domain in cap> /pass <AD user password> /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out <path to keytab file> -setpass
# Converts AD user's keytab file to base 64
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<path to the generated keytab file>"))
The value <AD username> will be the <KERB_APP_USERNAME> corresponding to the <KERB_APP_KEYTAB>.
Configuring Automation Suite as a Kerberos client
This section explains how you can configure Automation Suite as a Kerberos client for LDAP or SQL access.
With <KERB_DEFAULT_KEYTAB>, configure Automation Suite as a Kerberos client in one of the following ways:
- Configuring Kerberos authentication via the interactive installer
- Configuring Kerberos authentication via cluster_config.json
Note:
Currently, we allow independent configuration of only user authentication by setting
kerberos_auth_config.enabledto true andkerberos_auth_config.enable_integrated_sql_authto false. Independent SQL authentication is still not supported.
Configuring Kerberos authentication via the interactive installer
- When running the Automation Suite installer, specify that you want to enable Kerberos Auth in the Deployment configuration:
=============================================================================== Deployment configuration =============================================================================== Are you performing an evaluation/development/test/demo or a production deployment? [1] Production deployment (multi-node) [2] Evaluation/development/test/demo deployment (single-node) Enter your choice [2]: 2 Will your deployment have access to Internet (online) or is it physically isolated from unsecured networks (air-gapped)? [1] Online [2] Air-gapped Enter your choice [1]: 1 Enter the Automation Suite FQDN []: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com sfdev1868610-d053997f-lb.eastus.cloudapp.azure.comsfdev1868610-d053997f-lb.eastus.cloudapp.azure.com Would you like to enable Kerberos Auth? This will be used to connect to SQL Databases and Active Directory Lightweight Directory Adaptor if configured. [1] Yes [2] No Enter your choice [2]: 1=============================================================================== Deployment configuration =============================================================================== Are you performing an evaluation/development/test/demo or a production deployment? [1] Production deployment (multi-node) [2] Evaluation/development/test/demo deployment (single-node) Enter your choice [2]: 2 Will your deployment have access to Internet (online) or is it physically isolated from unsecured networks (air-gapped)? [1] Online [2] Air-gapped Enter your choice [1]: 1 Enter the Automation Suite FQDN []: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com sfdev1868610-d053997f-lb.eastus.cloudapp.azure.comsfdev1868610-d053997f-lb.eastus.cloudapp.azure.com Would you like to enable Kerberos Auth? This will be used to connect to SQL Databases and Active Directory Lightweight Directory Adaptor if configured. [1] Yes [2] No Enter your choice [2]: 1 - Provide the input parameters for Kerberos Auth:
Note:
This is the default Kerberos auth setting for all the services. If you want to set up a different AD user per service, you can specify the values in the service-specific JSON object at a later step during installation.
Specify the Active Directory domain for Kerberos Auth []: Specify the Ticket Granting Ticket lifetime (TGT) in hours between 8 and 168 for Kerberos Auth [8]: Specify the default Active Directory username for Kerberos Auth []: Specify the default Active Directory user's keytab for Kerberos Auth []: Specify the SQL server FQDN []: Specify the SQL server connection PORT [1433]:Specify the Active Directory domain for Kerberos Auth []: Specify the Ticket Granting Ticket lifetime (TGT) in hours between 8 and 168 for Kerberos Auth [8]: Specify the default Active Directory username for Kerberos Auth []: Specify the default Active Directory user's keytab for Kerberos Auth []: Specify the SQL server FQDN []: Specify the SQL server connection PORT [1433]:Note:The AD domain controller has the Maximum lifetime for user ticket Kerberos setting inside the Default Domain Policy. Make sure the ticket lifetime configured here is not longer than the server-side setting. You must generate the keytab file (
<KERB_DEFAULT_KEYTAB>) as described in the Prerequisites section and provide the base64 encoded value to the installer. Then, you must provide<KERB_DEFAULT_USERNAME>as a value forActive Directory usernameto the installer. - Complete the rest of the installation experience as shown in the following example:
Would you like the databases to be automatically provisioned for all the products you've selected? [1] Yes [2] No Enter your choice [1]: 1 The following databases will be provisioned automatically: - Shared suite capabilities: AutomationSuite_Platform - Orchestrator: AutomationSuite_Orchestrator - Test Manager: AutomationSuite_Test_Manager - Insights: AutomationSuite_Insights - Automation Hub: AutomationSuite_Automation_Hub - Automation Ops: AutomationSuite_Automation_Ops - AI Center: AutomationSuite_AICenter - Document understanding: AutomationSuite_DU_Datamanager =============================================================================== Current config values =============================================================================== Multi node: false Airgapped: false Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net Sql port: 1433 Sql username: Sql password: Create sql databases: true Kerberos Auth enabled: true Kerberos Auth Active Directory domain: abcd.com Kerberos Auth TGT lifetime in hours: 8 Kerberos Auth default Active Directory username: ad_user Kerberos Auth default user's keytab: XXXXXXXXX The cluster configuration file was generated at /tmp/UiPathAutomationSuite/cluster_config.json: [1] Continue installing with the default config [2] Edit the config [3] Go to the main menu For advanced settings, quit now and manually edit the config file. Once the configuration file is updated, run the deployment wizard again and follow the instructions. Would you like the databases to be automatically provisioned for all the products you've selected? [1] Yes [2] No Enter your choice [1]: 1 The following databases will be provisioned automatically: - Shared suite capabilities: AutomationSuite_Platform - Orchestrator: AutomationSuite_Orchestrator - Test Manager: AutomationSuite_Test_Manager - Insights: AutomationSuite_Insights - Automation Hub: AutomationSuite_Automation_Hub - Automation Ops: AutomationSuite_Automation_Ops - AI Center: AutomationSuite_AICenter - Document understanding: AutomationSuite_DU_Datamanager =============================================================================== Current config values =============================================================================== Multi node: false Airgapped: false Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net Sql port: 1433 Sql username: Sql password: Create sql databases: true Kerberos Auth enabled: true Kerberos Auth Active Directory domain: abcd.com Kerberos Auth TGT lifetime in hours: 8 Kerberos Auth default Active Directory username: ad_user Kerberos Auth default user's keytab: XXXXXXXXX The cluster configuration file was generated at /tmp/UiPathAutomationSuite/cluster_config.json: [1] Continue installing with the default config [2] Edit the config [3] Go to the main menu For advanced settings, quit now and manually edit the config file. Once the configuration file is updated, run the deployment wizard again and follow the instructions.Would you like the databases to be automatically provisioned for all the products you've selected? [1] Yes [2] No Enter your choice [1]: 1 The following databases will be provisioned automatically: - Shared suite capabilities: AutomationSuite_Platform - Orchestrator: AutomationSuite_Orchestrator - Test Manager: AutomationSuite_Test_Manager - Insights: AutomationSuite_Insights - Automation Hub: AutomationSuite_Automation_Hub - Automation Ops: AutomationSuite_Automation_Ops - AI Center: AutomationSuite_AICenter - Document understanding: AutomationSuite_DU_Datamanager =============================================================================== Current config values =============================================================================== Multi node: false Airgapped: false Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net Sql port: 1433 Sql username: Sql password: Create sql databases: true Kerberos Auth enabled: true Kerberos Auth Active Directory domain: abcd.com Kerberos Auth TGT lifetime in hours: 8 Kerberos Auth default Active Directory username: ad_user Kerberos Auth default user's keytab: XXXXXXXXX The cluster configuration file was generated at /tmp/UiPathAutomationSuite/cluster_config.json: [1] Continue installing with the default config [2] Edit the config [3] Go to the main menu For advanced settings, quit now and manually edit the config file. Once the configuration file is updated, run the deployment wizard again and follow the instructions. Would you like the databases to be automatically provisioned for all the products you've selected? [1] Yes [2] No Enter your choice [1]: 1 The following databases will be provisioned automatically: - Shared suite capabilities: AutomationSuite_Platform - Orchestrator: AutomationSuite_Orchestrator - Test Manager: AutomationSuite_Test_Manager - Insights: AutomationSuite_Insights - Automation Hub: AutomationSuite_Automation_Hub - Automation Ops: AutomationSuite_Automation_Ops - AI Center: AutomationSuite_AICenter - Document understanding: AutomationSuite_DU_Datamanager =============================================================================== Current config values =============================================================================== Multi node: false Airgapped: false Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net Sql port: 1433 Sql username: Sql password: Create sql databases: true Kerberos Auth enabled: true Kerberos Auth Active Directory domain: abcd.com Kerberos Auth TGT lifetime in hours: 8 Kerberos Auth default Active Directory username: ad_user Kerberos Auth default user's keytab: XXXXXXXXX The cluster configuration file was generated at /tmp/UiPathAutomationSuite/cluster_config.json: [1] Continue installing with the default config [2] Edit the config [3] Go to the main menu For advanced settings, quit now and manually edit the config file. Once the configuration file is updated, run the deployment wizard again and follow the instructions. - Optional: you can edit the configuration:
=============================================================================== Choose what setting you want to edit =============================================================================== [1] Multi node: false [2] Airgapped: false [3] Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com [4] Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net [5] Sql port: 1433 [6] Sql username: [7] Sql password: [8] Create sql databases: true [9] Kerberos Auth enabled: true [10] Kerberos Auth Active Directory domain: abcd.com [11] Kerberos Auth TGT lifetime in hours [12] Kerberos Auth default Active Directory username: ad_user [13] Kerberos Auth default user's keytab: XXXXXXXXX=============================================================================== Choose what setting you want to edit =============================================================================== [1] Multi node: false [2] Airgapped: false [3] Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com [4] Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net [5] Sql port: 1433 [6] Sql username: [7] Sql password: [8] Create sql databases: true [9] Kerberos Auth enabled: true [10] Kerberos Auth Active Directory domain: abcd.com [11] Kerberos Auth TGT lifetime in hours [12] Kerberos Auth default Active Directory username: ad_user [13] Kerberos Auth default user's keytab: XXXXXXXXX=============================================================================== Choose what setting you want to edit =============================================================================== [1] Multi node: false [2] Airgapped: false [3] Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com [4] Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net [5] Sql port: 1433 [6] Sql username: [7] Sql password: [8] Create sql databases: true [9] Kerberos Auth enabled: true [10] Kerberos Auth Active Directory domain: abcd.com [11] Kerberos Auth TGT lifetime in hours [12] Kerberos Auth default Active Directory username: ad_user [13] Kerberos Auth default user's keytab: XXXXXXXXX=============================================================================== Choose what setting you want to edit =============================================================================== [1] Multi node: false [2] Airgapped: false [3] Automation Suite FQDN: sfdev1868610-d053997f-lb.eastus.cloudapp.azure.com [4] Sql server FQDN: sfdev1868610-d053997f-sql.database.windows.net [5] Sql port: 1433 [6] Sql username: [7] Sql password: [8] Create sql databases: true [9] Kerberos Auth enabled: true [10] Kerberos Auth Active Directory domain: abcd.com [11] Kerberos Auth TGT lifetime in hours [12] Kerberos Auth default Active Directory username: ad_user [13] Kerberos Auth default user's keytab: XXXXXXXXX
Configuring Kerberos authentication via cluster_config.json
- In the
cluster_config.jsonfile, set thekerberos_auth_config.enabledparameter totrue. - If you want to use Kerberos for SQL access, configure the
sql_connection_string_template,sql_connection_string_template_jdbc, andsql_connection_string_template_odbcwith the Integrated Security flag.Note:Kerberos authentication is not exclusively supported for SQL. For activating Kerberos with SQL authentication, you must enable
kerberos_auth_config. This also adds user authentication. - If you want to set up a different AD user per service, take the following steps:
-
Specify the
ad_usernameanduser_keytabin the JSON object of the service group. -
Update the SQL connection string for the service to enable integrated security.
-
The
enabledparameter is set totrueby default when Kerberos authentication is enabled at global level. If you want to disable Kerberos authentication for SQL for a specific product, you must setenabledtofalse.The JSON object should be as follows:
"<serviceGroupName>": { "kerberos_auth_config": { "ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for this service group", "user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for this service group", "enabled": true } }"<serviceGroupName>": { "kerberos_auth_config": { "ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for this service group", "user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for this service group", "enabled": true } }Note:For the list of service group names, see Service groups and services.
-
- After updating the
cluster_config.json, run the installer script to update the configuration. For details, see Managing products.
Note:
You can use this procedure to update or rotate the Kerberos keytab.
Sample of updating Orchestrator and the platform to use Kerberos authentication
"kerberos_auth_config": {
"enabled" : true,
"ticket_lifetime_in_hour" : 8,
"ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN",
"default_ad_username": "PLACEHOLDER - INSERT KERB_DEFAULT_USERNAME",
"default_user_keytab": "PLACEHOLDER - INSERT KERB_DEFAULT_KEYTAB",
"enable_integrated_sql_auth": true
},
"sql_connection_string_template": "PLACEHOLDER",
"sql_connection_string_template_jdbc": "PLACEHOLDER",
"sql_connection_string_template_odbc": "PLACEHOLDER",
"orchestrator": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for Orchestrator",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for Orchestrator",
"enabled": true
},
"testautomation": {
"enabled": true
},
"updateserver": {
"enabled": true
}
},
"platform": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for platform",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for platform",
"enabled": true
}
}
"kerberos_auth_config": {
"enabled" : true,
"ticket_lifetime_in_hour" : 8,
"ad_domain": "PLACEHOLDER - INSERT ACTIVE DIRECTORY DOMAIN",
"default_ad_username": "PLACEHOLDER - INSERT KERB_DEFAULT_USERNAME",
"default_user_keytab": "PLACEHOLDER - INSERT KERB_DEFAULT_KEYTAB",
"enable_integrated_sql_auth": true
},
"sql_connection_string_template": "PLACEHOLDER",
"sql_connection_string_template_jdbc": "PLACEHOLDER",
"sql_connection_string_template_odbc": "PLACEHOLDER",
"orchestrator": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Orchestrator;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for Orchestrator",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for Orchestrator",
"enabled": true
},
"testautomation": {
"enabled": true
},
"updateserver": {
"enabled": true
}
},
"platform": {
"sql_connection_str": "Server=tcp:sfdev1804627-c83f074b-sql.database.windows.net,1433;Initial Catalog=AutomationSuite_Platform;Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Max Pool Size=100;",
"kerberos_auth_config": {
"ad_username": "PLACEHOLDER - INSERT KERB_APP_USERNAME for platform",
"user_keytab": "PLACEHOLDER - INSERT KERB_APP_KEYTAB for platform",
"enabled": true
}
}
Note:
The enable_integrated_sql_auth parameter is set to true by default. If you want to disable Kerberos authentication for SQL for all products, you must set this parameter to false.
Service groups and services
The following table lists the available service groups and the services that they include, The names are slightly different in the cluster_config.json file, or in the ArgoCD UI.
Service group name for cluster_config.json | Service group name for ArgoCD | Included services |
|---|---|---|
orchestrator | orchestrator | Orchestrator, Webhooks |
platform | platform | Identity, License Accountant (LA), Audit, Location, License Resource Manager (LRM), Organization Management Service (OMS) |
discovery_group | discoverygroup | Automation Hub, Task Mining |
test_manager | testmanager | Test Manager |
automation_ops | automationops | Automation Ops |
aicenter | aicenter | AI Center |
documentunderstanding | documentunderstanding | Document Understanding |
insights | insights | Insights |
dataservice | dataservice | Data Service |
asrobots | asrobots | Automation Suite Robots |
processmining | processmining | Process Mining |
Configuring the Active Directory integration
For Kerberos authentication to be used when logging in to Automation Suite, you must further configure Automation Suite host settings.
Disabling Kerberos authentication
Removing Kerberos authentication completely
To remove Kerberos authentication completely, take the following steps:
- If you used Kerberos to configure AD integration, reconfigure AD with the username and password option by following the instructions in Configuring the Active Directory integration.
- If you used SQL integrated authentication, configure the SQL connection strings to use User Id and Password.
- Disable Kerberos authentication. In the
cluster_config.jsonfile, set thekerberos_auth_config.enabledparameter tofalse, then run the installer script to update the configuration. For details, see Managing products.
Removing SQL integrated authentication
To remove SQL integrated authentication, take the following steps:
- Configure the SQL connection strings to use User Id and Password.
- If want to disable SQL integrated authentication for all the services, in the
cluster_config.jsonfile, set thekerberos_auth_config.enabledparameter tofalseand then run the installer script to update the configuration. For details, see Managing products.
Kerberos troubleshooting
If you encounter any issues while configuring Kerberos, see Authentication troubleshooting.
- Prerequisites
- Ensuring the Automation Suite cluster can access your AD
- Configuring the AD service account for Kerberos authentication
- Optional: SQL authentication prerequisites
- Configuring Automation Suite as a Kerberos client
- Configuring Kerberos authentication via the interactive installer
- Configuring Kerberos authentication via cluster_config.json
- Configuring the Active Directory integration
- Disabling Kerberos authentication
- Removing Kerberos authentication completely
- Removing SQL integrated authentication
- Kerberos troubleshooting