cancel
Showing results for 
Search instead for 
Did you mean: 

Query about Blue Prism and Domain Trusts

Anonymous
Not applicable
We have an issue that is currently affecting delivery of a Blue Prism project and hope to have a bit of clarification.   Our client has several Active Directory domains. Most of these reside in the same forest and are running Blue Prism correctly. They wish to stand up a Runtime Resource in a separate domain which has a trust relationship to the Application Server Domain, but they are experiencing problems with users not being recognised correctly.   The situation is: The Application server is in DomainA The Runtime Resource is in DomainB   A one-way external trust is in place between DomainA and DomainB  (DomainA trusts DomainB).   User1 in DomainB has been added to Group1 in DomainA and shows the username correctly in Group1 in AD Users & Computers in DomainA. However, in Blue Prism, adding Group1 to a User Role shows a SID-like record and not the username, and then shows a Bind error €˜0x8007052E: The username or password is incorrect€™.   So I have the following questions: 1) How does Blue Prism interrogate Active Directory? From the documentation, it looks like it uses .NET DirectoryServices, which appears to use LDAP and Bind to the AD. 2) Is it possible to use a Runtime Resource in a Domain that is part of a Trust relationship rather than a Forest?  Is it Trust aware   Many thanks
2 REPLIES 2

SteveBoomer
Level 5
Hi Andy. We have a similar setup by the looks of things. We have Resources and Users in domain A, the servers in domain B. We have had to use domain accounts from Domain A to access Blue Prism using SSO. The additional setup we had to perform are changes to the access on the SQL server databases. I'll search my previous posts as I've posted how we did this a few months ago. Regards, Steve

SteveBoomer
Level 5
Hi Andy, the search facility isn't helpful enough to find my previous post so here goes: Firstly setup administrator AD group in domain A. Sign onto SQL Server, go to Security / logins and right click New Login. (You haven't mentioned SQL version so I will give you instruction for 2012 as that's what we have). Click on Search. Click on object types and select Groups (as it invariably is always unticked). Change the location to the domain where the AD group resides Enter the name and click on Check Names. Then OK Check the server roles is set to public only, leave everything else as default and click okay Browse to the database in question and got to Security / Users Right Click, add new user The User Type needs to be Windows User Select the User Name (Don't forget to add Groups and change the domain). Add the Login name (Browse is the easiest way to do this). Leave the Owned Schemas as blank Membership needs the following selected: bpa_ExecuteSP_DataSource_bpsystem bpa_ExecuteSP_DataSource_custom bpa_ExecuteSP_System db_datareader db_datawriter Click on Okay. Repeat for all your AD permissions group for that instance. Resources - You will also have to point your Interactive Clients directly at the database server, rather than the application server (we have found this assists performance greatly), but the Runtime resources need to point to the Application Servers still.   Hope that helps - I'd strongly recommend backing up your DB before making any of the above changes.