DocsTroubleshooting – Single sign-on
This page describes some common issues and suggested resolutions for system administrators using and managing Single Sign-on in Blue Prism.
Users can't sign in
If login failures or performance issues are encountered during the login process via Active Directory, system administrators can check whether any of the scenarios below apply and perform the appropriate action.
If using Active Directory authentication in a single-authentication environment
- Log out and back again – If all user settings, including security groups are correct, try logging out and logging on again to the user's machine. When a user is added to an Active Directory group, the change takes effect the next time they log on.
-
Check the user's Blue Prism roles and their Active Directory security group membership – If the user is a member of the Blue Prism Administrators group
Check that the user is a member of at least one of the Blue Prism security groups in Active Directory. Check which Active Directory groups are mapped to the
If using Active Directory authentication in a multi-authentication environment
- Check the Blue Prism application server connection – Make sure the user is connected to a Blue Prism application server with a valid and secure connection mode and that an Active Directory user record exists for the currently logged-in Windows user.
If converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment
You should use a supported connection for Active Directory authentication before starting the conversion. If you haven't used a supported connection for Active Directory authentication before doing the conversion you will not see the Active Directory sign-in option on the Blue Prism login page and you will have to change your connection to a supported connection to be able to log back into the system.
For more details, see Single Sign-on.
Windows credentials are required
If after signing in via Active Directory, you are prompted to enter Windows credentials, please check that you have configured a Service Principal Name (SPN) against the Active Directory account under which each Blue Prism Server service instance is running . For more details, see SPN configuration.
Error messages display
The trust relationship between this workstation and the primary domain failed.
This error indicates a problem with your network configuration. It can sometimes be a symptom of a disjointed namespace (a scenario in which a computer's primary domain name system (DNS) suffix doesn't match the DNS domain name where that computer resides).
The specified domain does not exist or cannot be contacted.
Sometimes a machine can appear to be a member of a domain, but badly configured. If this only happens from a specific machine, whereas other machines work without problems then this may be the problem. In this case, remove the machine from the domain and reattach it (a Domain administrator will need to carry out this action).
The local machine is not a member of an Active Directory domain, or the domain cannot be contacted.
If you receive this message
Unable to retrieve the members of Security Group {Security Group Name} because it contains members which are either Foreign Security Principals or have unresolved SIDs.
This only applies to Active Directory authentication in a single-authentication environment.
Some Active Directory security groups (for example, some built-in groups) present querying difficulties and therefore such configurations are not recommended. Whilst users from these groups will be able to sign in with the correct permissions, some Blue Prism screens may not be able to accurately display membership information.
