Configure the Control Room to authenticate users using Active Directory by enabling the Control Room to discover and list domains and sites in your organization.

Note: Active Directory integration is irreversible and you cannot modify the configuration after it has been established.
um-properties file is a configuration file that is used in the Control Room. It plays an important role in defining various properties and settings related to user management and LDAP configurations. Review the following table to understand the configurable entries in the um-properties file:
Entry Descriptions
um.ad.max.gc.url.per.forest=10 Number of GC URLs per forest to be collected, defaults to 10
um.ad.max.kdc.per.domain=3 Number of KDC servers to be allowed per domain, defaults to 3
um.ad.max.retry.count=2 Request will be retried for x number of times, defaults to 2
um.ad.retry.delay.milliseconds=500 Request will be retried in x milliseconds, defaults to 500 milliseconds
um.ad.retry.max.delay.milliseconds=5000 Request will be retried not later than x milliseconds, defaults to 5000 milliseconds
um.ad.krb5.cr.retries=1 This will force CR to re-authenticate to the AD in case of authentication failed; it defaults to 1, can be adjusted to 2 or 3 in that case
um.ldap.connect.timeout.milliseconds=2000 Connect timeout, defaults to 2000 milliseconds
um.ldap.kdcs='' If the various Key Distribution Center (KDC) are defined in the entry, it will over-writes the ones found by the auto-discovery process. This creates a safety net for customers to have the capability to overwrite any KDCs. When this entry is defined, all the domains with corresponding KDCs must be defined here.

It defaults to empty

For example, if the AD environment has total 3 domains, domain1.com, domain2.com and domain3.com, the entry will look like the following :
um.ldap.kdcs='domain1.com:host1.domain1.com:host2.domain1.com,domain2.com:host1.domain2.com:host2.domain2.com',domain3.com:host1.domain3.com'
um.ldap.read.timeout.milliseconds=10000 Read timeout, defaults to 10000 milliseconds
um.ad.total.db.user.per.retrieval=1000 This is for user role batch sync, it loads up the x number of users from the DB per retrieval.
um.ldap.groupmapping.domain.filter='' Defaults to the Users groups if this line is not defined.
um.ldap.groupmapping.sync.on.get.mappings=false It defaults to false so that mapping list will not be validated when displaying the list of mappings on the UI. Setting it to true; reverses the behaviors as before to validate the mapping list whenever a get mappings call is made which might degrade the performance.

To configure the Control Room when you start it for the first time, do the following:

Procedure

  1. Double-click the Automation Anywhere Control Room icon on your desktop.

    The Configure Control Room settings page appears.

  2. Type the repository path.
    This is the location where the uploaded automation files, for example, IQ Bots, and Task Bots are stored. For example, C:\ProgramData\AutomationAnywhere\Server Files.
  3. Enter the access URL.
    This is the URL for accessing your installation of Control Room.
  4. Click Save and continue.
    Important: The back button of your web browser is automatically disabled after you click Save and continue. This ensures that the Credential Vault Master Key that generates matches the repository path and Control Room access URL.

    To return to the Configure Control Room settings page, press Ctrl plus F5 and restart.

    The Credential Vault settings page appears.
  5. Select from the following options:
    • Express mode: The system stores your Master Key to connect to the Credential Vault. This option is not recommended for a production environment.
    • Manual mode: You store the Master Key on your own, and then provide the Master Key when the Credential Vault is locked. Users use the Master Key to connect to the Credential Vault to secure their credentials and access them when creating and running Task Bots.
      Important: If you lose the Master Key, you will not be able to access the Control Room.
  6. Click Save and continue.
    Important: The back button of the web browser is automatically disabled after you click Save and continue. No further changes to the Control Room configuration or Credential Vault settings are allowed.

    To make changes, reinstall the Control Room.

    The Authentication type for Control Room users page appears.
  7. Select Active Directory.
    Automation Anywhere supports Active Directory multi-forest authentication for the Control Room. Before providing the authentication type, ensure the following:
    • For one-way trust between forests:
      • The Bot Agent devices are in one or more forests and the Control Room is in a different forest, theControl Room must be in the trusting forest.
      • Set up trust between the forest that contains the Control Room and each of the forests containing the Bot Agent devices.
      • Domains containing Bot Agent devices and the Control Room must be configured with two-way trust between the domains.
    • For two-way trust between forests:
      • In the scenario where the Bot Agent devices are in one or more forests and the Control Room is in a different forest, all forests containing Bot Agent device and the Control Room are configured with two-way trust between forests.
      • Set up trust between all forests containing the Control Room and the Bot Agent devices.
      • Domains containing Bot Agent devices and the Control Room must be configured with two-way trust between the domains.
    • The root certificate of the LDAP server is imported using the provided CertMgr tool via command.
    • The provided LDAP URLs per forest cannot be behind a load balancer. Also, all LDAP URLs must point to the root (main) domain controllers.
    • The node that runs the Control Room is in the same domain network where the Active Directory runs.
    • The user is in the parent domain and the URL points to the parent.

      This ensures that when there are two or more forests, and one of the forest has a sub-domain with a different name space, a user from the other forests does not have permission to access that sub-domain.

  8. Type the Domain username.
    Ensure you use the User Principal Name (UPN) in the username@domain.com format.
    The username you enter is for a user who has access to all domains using the same credentials.
  9. Type the Domain password.
    This user is not expected to use the Control Room. Although you have an option to update the password, use an Account with the password never expires option. If it expires, it can be updated but with some downtime.
  10. Click Discover connections.
    All discovered Active Directory domains with one or more sites per domain are shown.
    By default, all domains and sites are selected. If only one domain and one site under it is discovered, then it is shown in read-only mode and cannot be edited.
    You can configure the maximum number of sites per domain that can be discovered across multiple domains by adding the following property in the um.properties file saved in <installation path>/config:

    um.ldap.auto.discovery.find.max.sites=<number of sites>

    For example, you can configure auto-discovery for a maximum of 15 sites per domain by adding the entry um.ldap.auto.discovery.find.max.sites=15 in the um.properties file. This means that for every domain that you have, a maximum of 15 associated sites can be discovered per domain.

    Note: If this property is not configured, by default, 10 sites per domain will be discovered.
  11. Select the domains and sites to use for authentication.

    Select the domains and sites to use for authentication. Select a minimum of one site for each domain that is selected

  12. Click Test connections to register the sites to use for authentication.
  13. Click Check connection.

    If Control Room is unable to connect to the Active Directory database, an error message appears.

  14. Click Next.
    The Control Room first administrator page appears.
  15. Select the Active Directory domain from the drop-down list and type the Control Room administrator username.
  16. Click Check name in Active Directory.
    If the username is in the Active Directory the following user details are shown:
    • First name
    • Last name
    • Email

    You can edit these pre-populated fields.

  17. Click Save and log in.

    You are logged in to the Control Room as an administrator. You can now configure and manage the overall RPA environment with Control Room and Bot Agent.

Next steps

After configuring the Control Room, install product licenses.