Configuring Control Room for Active Directory: manual mode
Configure the Control Room to authenticate users using Active Directory by manually adding the Lightweight Directory Access Protocol (LDAP) URLs.
To configure the Control Room when you start it for the first time:
Double-click the Automation Anywhere
Control Room icon on your desktop.
The Configure Control Room settings page appears.
Type the repository path.
This is the location where the uploaded automation files, for example, MetaBots, IQ Bots, and TaskBots are stored. For example, C:\ProgramData\AutomationAnywhere\Server Files.
Type the access URL.
This is the URL for accessing your installation of Control Room.
Click Save and continue.
Warning: The back button of your automatically disables after you click Save and continue. This ensures that the Credential Vault Master Key that generates matches the repository path and Control Room access URL.The Credential Vault settings page appears.
To return to the Configure Control Room settings page, press Ctrl plus F5 and restart.
Select from the following options:
- Express mode: The system stores your master key to connect to the Credential Vault. This option is not recommended for a production environment.
- Manual mode: You store the Master Key on your own, and then provide the Master Key when the Credential Vault is locked. Users use the Master Key
to connect to the Credential Vault to secure their credentials and
access them when creating and running TaskBots.Warning: If you lose the key, you will not be able to access the Control Room.
Click Save and continue.
Warning: The back button of the automatically disables after you click Save and continue. No further changes to the Control Room configuration or Credential Vault settings are allowed.
To make changes, reinstall the Control Room.The Authentication type for Control Room users page appears.
Select Active Directory.
Starting from Version 11.3, Automation Anywhere supports Active Directory Multi-Forest authentication for the Control Room. Before providing the Authentication Type, ensure the following:
- One-way or two-way trust is set up between all forests. For a one-way trust, this is from the Enterprise Client forest to the Control Room forest (Control Room forest must always be the trusting forest).
- Two-way trust is set up for every domain in a forest.
- The root certificate of the LDAP server is imported using the provided CertMgr tool via command.
- The provided LDAP URLs per forest cannot be behind a load balancer. Also, all LDAP URLs must point to the root (main) domain controllers.
- The node that runs the Control Room is in the same domain network where the Active Directory runs.
- The user is in the parent domain and the URL
points to the parent.
This ensures that when there are two or more forests, and one of the forest has a subdomain with a different name space, a user from the other forests does not have permission to access that subdomain.
Type the LDAP URL.
For example, ldap://server01.domain.com.
To support users from a domain for a different forest, use the more options icon to provide additional LDAP URLs.Note: For users and groups from one or more Active Directory domains, to access the Control Room, use a fully qualified host name of the Global Catalog (GC) server, listening on port 3268 (3269 if SSL).
If you add a domain or a subdomain, the authentication fails. For example, use ldap://Server01.ldap.com instead of ldap://MyDomain/.
Starting with 11.3.1, provide URLs of multiple Global Catalogs per forest so that if one Global Catalog in a forest goes down, the other can serve. This feature does not provide support for the load-balanced URL.
Starting with Version 11.3.2, you must enter the Domain username and password and click Manually add connections to enter the LDAP URLs.
Type the username.
Ensure you use the User Principal Name (UPN) in the email@example.com format.
Type the password.
This must be a domain user in the Domain Users' group. However, this user is not expected to use the Control Room. Although you have an option to update the password, use an account with a password never expires option. If the password expires, it can be updated, but with some downtime.
Click Check connection.
If Control Room is unable to connect to the Active Directory database, an error message appears.
In Version 11.3.2, click Test connections to register the sites to use for authentication.
The Control Room first administrator page appears.
- Select the Active Directory domain from the drop-down list and type the Control Room administrator username.
Click Check name in Active Directory.
If the username is in the Active Directory the following user details are shown:
- First name
- Last name
You can edit these prepopulated fields.
Click Save and log in.
You are logged in to the Control Room as an administrator. You can now configure and manage the overall RPA environment with Control Room and clients.