I wonder if the Windows-Option "Run As Different User" could help you. I'm using this in cases where I want to start Blu Prism on my Machine with a different AD-Account for testing purposes. And it works fine.

https://winaero.com/blog/add-run-start-menu-windows-10/

Thanks Christian.

Yes, this is how we have circumvented this, we created a bat script + shortcut to Public folders on each machine:

@echo off
set /p Username=Insert Username:
C:\Windows\System32\runas.exe /savecred /user:DOMAIN\%Username% "C:\Program Files\Blue Prism Limited\Blue Prism Automate\Automate.exe"

However, we'd like to avoid any "extra" steps to launch the system, that might cause confusion in the users.

In my opinion manual login should be made available by default, any other authentication methods/features (in this case SSO) should come after that. Some organizations might run into issues with this or even unable to activate AD authentication, if security policies have forced "Deny logon locally" or other policies preventing launching applications as different user.

We actually ran into issues with this workaround method.

If the automate.exe is started with "run as another account", all calls to launch applications from process are started with this same account.

1. Developer logs in to resource with robotic account "A". This account has proper permission to our business software.
2. Developer starts automate.exe with "runas" and uses their personal domain-account "B", these domain accounts have been granted login & edit rights to Blue Prism DEV environment. This way automate.exe can send "B" credentials to authenticate into BP.
3. Then on process level, when business application launches are called, automate.exe seems to call the target software to start with the same "B" credentials the automate.exe is running -> This account does not have access rights to the target software.

Only workaround is to grant login & edit rights to the robotic/development accounts (Type "A"). This defeats the purpose of AD authentication in our environment.

Implementing a "manual" AD login to the BP login screen, would fix this issue:

1. Developer logs in to Windows with robotic account "A"
2. Developer starts BP normally (no run as)
3. In Blue Prism login screen, developer types in manually the authorized personal domain account "B"

= Automate.exe is running with the robotic account, process level launches start with the robotic account that has proper access rights to target software. Blue Prism used with a personal domain account that leaves a clear audit trail and is managed centrally with our IDM & AD tools.

Hi Tomi,

Thanks so much for submitting your idea! We are moving it into the Under Consideration status while we route the idea through our internal review process. 

We will update you as your idea moves along the lifecycle.

Thank you!
Melanie 

From our side is the same need. But, with running BP on a different user on Windows, will not work. The Developer-User have no permission on the Ressource to login.
I would would prefer some LDAP-Integration. That might help.

In my opinion the easiest way to implement such function would be via LDAP.

I am planning a little workaround with using SAML in authentication. With our ADFS, we can configure forcing login there and login as a different windows account. Not the nicest solution, but actually Blue Prism haves room for improvement in authentication procedure.