Troubleshooting – single sign-on

This page describes some common issues and suggested resolutions for using the Single Sign-on feature of Blue Prism.

I can't sign on

If you are using Active Directory authentication in a single-authentication environment:

If you believe that all your settings, including user groups are correct, try logging off and logging on again to the network – when a user is added to an Active Directory group, the change takes effect the next time they log on.

Ask your network administrator to check that you are a member of one of the Blue Prism security groups in Active Directory. A member of the Blue Prism Administrators group (as configured in the single sign-on settings) should be able to sign in. Check which Active Directory groups are mapped to the Blue Prism roles in System Manager. You should be a member of at least one of these groups.

If you are using Active Directory authentication in a multi-authentication environment:

Make sure you are connected to a Blue Prism application server with a valid and secure connection type and that the administrator has added you (the currently logged-in Windows user) as an Active Directory user within Blue Prism.

See Single Sign-on for more details.

If you are converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment:

You should use a supported connection for Active Directory authentication before starting the conversion. If you haven't used a supported connection for Active Directory authentication before doing the conversion you will not see the Active Directory sign-on option on the Blue Prism login page and you will have to change your connection to a supported connection to be able to log back into the system.

See Single Sign-on for more details.

I receive an error message

The trust relationship between this workstation and the primary domain failed.

This error indicates a problem with your network configuration. It can sometimes be a symptom of a disjointed namespace (a scenario in which a computer's primary domain name system (DNS) suffix doesn't match the DNS domain name where that computer resides.)

The specified domain does not exist or cannot be contacted.

Sometimes a machine can appear to be a member of a domain, but badly configured. If this only happens from a specific machine, whereas other machines work without problems then this may be the problem. In this case, remove the machine from the domain and reattach it (a Domain administrator will need to carry out this action).

The local machine is not a member of an Active Directory domain, or the domain cannot be contacted.

If you receive this message when attempting to enable Active Directory authentication in a multi-authentication environment, this means that you need to request your Active Directory domain administrator to add you to an Active Directory domain before you can configure Active Directory authentication.

I receive an information message

Unable to retrieve the members of Security Group {Security Group Name} because it contains members which are either Foreign Security Principals or have unresolved SIDs.

This only applies to Active Directory authentication in a single-authentication environment.

Some Active Directory Security Groups (e.g. some built-in groups) present querying difficulties and therefore such configurations are not recommended. Whilst users from these groups will be able to sign in with the correct permissions, some Blue Prism screens may not be able to accurately display membership information.

See Single Sign-on and Active Directory configuration for more details.