Active Directory domains

Blue Prism administrators are able to view, add, edit, and delete Active Directory domains and associated credentials stored in the Blue Prism database.

To access and manage Active Directory domains in Blue Prism, navigate to System > Security > Sign-on Settings > Active Directory Domains. 

You only need to add new Active Directory domains in multi-forest environments with a one-way trust relationship. For more details, see Trust relationships between domains.

Prerequisites

The following prerequisites must be met before adding Active Directory domains:

• Ensure the encryption scheme is configured – Active Directory domain credentials are encrypted in the Blue Prim database using the default encryption scheme, so an encryption scheme must be configured before adding domains. It is recommended to store the encryption key on the application server. For more details, see Encryption schemes.

• Ensure the encryption key is accessible to the Blue Prism API – If the encryption key is stored on the application server, additional steps must be taken to make the encryption keys available to the Blue Prism API. This is to ensure that Active Directory users across multiple domains are able to use the browser-based Control Room. To allow this, the Blue Prism API must be able to decrypt the domain credentials using the encryption scheme stored on the application server. For more details, see API configuration.

Add a domain

1. On the Sign-on Settings - Active Directory Domains screen, click Add.

   The Add Active Directory domain screen displays.

2. Enter a domain name.

   This must be the fully qualified domain name (FQDN) using the format subdomain.domain.com or domain.com.

3. Enter the username and password for the domain. Usernames must be in the format [email protected] or DOMAIN\username. The credentials must be requested from a system administrator beforehand.

   Active Directory domain credentials are stored in the database and are encrypted before storage. The credentials stored for each domain must be that of an Active Directory service account. The service account password must not expire, the service account must not be a user account, and should follow Active Directory service account best practices.You only need to enter domain credentials in a multi-forest environment with a one-way trust.

   

4. Click Add.

   The domain name and credentials are validated against the Active Directory domain controller and the added domain displays in the domains list.

Edit a domain

1. On the Sign-on Settings - Active Directory Domains screen, select a domain and click Edit.

   You can only edit one domain at a time.

2. Change the information as required. You will have to re-enter your password.

   You cannot edit domain names.

3. Click Save to apply your changes.

Delete domains

1. On the Sign-on Settings - Active Directory Domains screen, select the required domain(s) and click Delete.

   A message displays asking you to confirm the deletion.

2. Click Delete to delete the selected domain(s).