Login Agent Blue Prism User Guide
User Manual: Pdf
Open the PDF directly: View PDF .
Page Count: 11
Download | |
Open PDF In Browser | View PDF |
Login Agent USER GUIDE Version: 5.0.32.1 For more information please contact: info@blueprism.com | UK: +44 (0) 870 879 3000 | US: +1 888 757 7476 www.blueprism.com Contents Introduction ..................................................................................................................................................................3 Editions of Login Agent .............................................................................................................................................3 Distributable Files .....................................................................................................................................................3 Mandatory Security Policies ......................................................................................................................................4 Installation ....................................................................................................................................................................5 Using Login Agent .........................................................................................................................................................6 Overview ...................................................................................................................................................................6 Automation Examples ...............................................................................................................................................7 Advanced Installation and Configuration ......................................................................................................................8 Updating or customising the Login Agent configuration ...........................................................................................8 Troubleshooting ..........................................................................................................................................................10 Identifying Login Agent Runtime Resources in Control Room ................................................................................10 Common Issues .......................................................................................................................................................10 Enable Logging for Login Agent ...............................................................................................................................10 Resource stuck on error message: "Incorrect password or username" ..................................................................10 Frequently Asked Questions .......................................................................................................................................11 The information contained in this document is the proprietary and confidential information of Blue Prism Limited and should not be disclosed to a third party without the written consent of an authorised Blue Prism representative. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying without the written permission of Blue Prism Limited. © Blue Prism Limited, 2001 – 2016 ®Blue Prism is a registered trademark of Blue Prism Limited All trademarks are hereby acknowledged and are used to the benefit of their respective owners. Blue Prism is not responsible for the content of external websites referenced by this document. Blue Prism Limited, Centrix House, Crow Lane East, Newton-le-Willows, WA12 9UY, United Kingdom Registered in England: Reg. No. 4260035. Tel: +44 870 879 3000. Web: www.blueprism.com Commercial in Confidence Page 2 of 11 Introduction The Login Agent software provides a mechanism for securely logging into a Windows desktop device for the purposes of executing Blue Prism processes. This document guides the new user through the process of installing the Blue Prism Login Agent software, and provides some guidance on its use. Editions of Login Agent The correct version of Login Agent to use will be dependent on the version of Blue Prism that is installed. • Blue Prism Versions 4.1.25 to 5.0.21 Download a compatible version of Login Agent from the user portal. At the time of publication the latest compatible version is Login Agent 2.0.0. • Blue Prism Version 5.0.23 Download a compatible version of Login Agent from the user portal. At the time of publication the latest compatible version is Login Agent 5.0.23. • Versions 5.0.24 and above Login Agent is provided within the Blue Prism installer. Following the install of Blue Prism on a given device, the Login Agent installation executable can be found within the Installers in the Blue Prism install location. Login Agent 2.0.0 (from Portal) Login Agent 5.0.23 (from Portal) Login Agent (Embedded) Location of installer Download from User Portal Download from User Portal Within install directory of Blue Prism versions 5.0.24+. Supported Blue Prism versions 4.1.25 – 5.0.21 5.0.23+ Version of Blue Prism that the installer was provided with. Supported Operating Systems Windows XP, Windows Vista, Windows 7, Windows 8.1, Windows 10 Windows XP, Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 Windows XP, Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 Includes 32-bit and 64-bit architectures. Includes 32-bit and 64-bit architectures and R2 editions. Includes 32-bit and 64-bit architectures and R2 editions. Prerequisites An appropriate version of Blue Prism must be installed and configured prior to installing Login Agent. When installing onto a virtual device, the host virtualization technology must support thirdparty credential providers User access Administrator access is required on the target system Distributable Files There are two installers available for each version of Login Agent: • For 32-bit operating systems: LoginAgentSetup32.msi or LoginAgent_x86.msi • For 64-bit operating systems: LoginAgentSetup64.msi or LoginAgent_x64.msi Commercial in Confidence Page 3 of 11 Mandatory Security Policies In order for Login Agent to be able to function it is essential that the following security policies are be configured on each target device. These are to ensure that when the device is first started the Windows username and password fields are presented without requiring any user input. Explicitly: • There must not be a requirement to press ctrl + alt + del prior to the user name and password fields being presented. [Local Security Policy: Interactive Login: Do not require ctrl + alt + del: Enabled] • There must not be a requirement to traverse an on-screen message such as a usage acceptance policy as part of the login process. [Local Security Policy: Interactive Login: Message title for users attempted to log on: Empty] [Local Security Policy: Interactive Login: Message text for users attempted to log on: Empty] • There must not be a requirement to traverse a lock screen (Windows 8.1 and Windows 10). [Local Group Policy Editor: Do not display the lock screen: Enabled] These policies will be automatically set for the local machine when Login Agent is installed, but commonly these settings are overwritten by global settings on the network. Local Security Policy settings can be found within Local Security Policy, beneath Security Settings -> Local Policies -> Security Options. Local Group Policy Editor settings can be found within the Local Group Policy Editor beneath Computer Configuration -> Administrative Templates -> Control Panel -> Personalization [Windows 8.1 and 10 only] Where security policies are applied globally, such as by Active Directory Group Policy, these changes will need to be applied centrally to affect all intended target devices. Commercial in Confidence Page 4 of 11 Installation The steps below illustrate those required to perform an initial installation of Login Agent. Login Agent should only be installed on a device where Blue Prism has been installed and at least one Blue Prism connection has been configured. When installing on virtualized devices, it is necessary for the virtualization host technology to support third party credential providers. Login Agent must be used with the version of the VBO that is provided within the associated Blue Prism release file. 1. Locate and run the appropriate installer depending on the CPU architecture of the target device (e.g. whether it is 32-bit or 64-bit device). 2. On the screen that prompts for a Connection Name, a name that exactly matches an existing Blue Prism connection on the local device must be provided. A list of the currently configured connections can be found within the Blue Prism client. 3. Optionally select a custom installation location and continue past the confirmation to begin the installation. 4. Once the installation has completed, reboot the device. Login Agent does not require a callback connection and therefore if the selected connection is a Blue Prism Server connection (recommended), a call back connection will not be established. Commercial in Confidence Page 5 of 11 Using Login Agent Overview When executing an automated process on a Blue Prism Runtime Resource, it is necessary for the Runtime Resource to be listening on a device which is logged in and not locked. This allows the process to operate under the context of that user and provides access to all of the local applications and network resources that it may need. Login Agent provides a mechanism that is intended to assist with automating the logging of a device into Windows such that the main Blue Prism Runtime Resource can be started. This is includes: • Configuring the Login Agent service with appropriate information to launch a Login Agent Runtime Resource. • A Login Agent Runtime Resource being started automatically when a device is powered on (or rebooted) that connects to the appropiate Blue Prism environment. • The Login Agent Runtime Resource being instructed (manually or via a schedule) to Log in. • The Login Agent securely retrieving the appropriate credential from the database and using this to authenticate with Windows. When appropriately configured a conceptual representation of the flow of events that will occur to take device from being powered on to be being logged in and able to receive process automation instructions is shown below. Figure 1: Conceptual flow of events for Login Agent 5.0.23+ Commercial in Confidence Page 6 of 11 Automation Examples Once Login Agent has been deployed on the required devices, the Login Agent Release Package can be imported into the environment. This package includes a number of components that can be used to illustrate how to interact with a device that has been configured with Login Agent. The package file (Login Agent Release.bprelease) is be located within the Login Agent install Directory and can be imported using the File -> Import menu option on any single device. The data is copied into the database so it only needs to be completed once for each relevant Blue Prism environment. The default Login and Change Password processes require that a Credential record is created for each device where the process will be run. These credential records need to be created using the default naming format: Windows Login: [MachineName]. E.g. if the Runtime Resource is configured on robot0001 on port 8190, the default credential name should be Windows Login: robot0001. Example Processes A number of example Blue Prism processes are provided within the release package: • Login: Instructs a Login Agent Runtime Resource to retrieve a credential (based on a default static naming format) and execute a login. Supports both local account and network account logins. Intended for Login Agent Runtime Resource?: Yes Intended for Blue Prism Runtime Resource?: No • Logout: Instructs a Blue Prism Runtime resource to close all programs in the user session and log out of Windows. An optional delay can be passed in as the parameter 'Delay' which will hold off from logging out for the time specified. The process will still complete immediately, and the session will logout after the delay has passed. Intended for Login Agent Runtime Resource?: No Intended for Blue Prism Runtime Resource?: Yes Specifying a Delay of 1 second (or greater) can help when troubleshooting. • Check Logged In: Checks the current logged in state of the device where the Runtime Resource is running. Intended for Login Agent Runtime Resource?: Yes Intended for Blue Prism Runtime Resource?: Yes • Change Password: Resets the password for the currently logged on user and overwrites the password associated with the credential record. Provides support for configuring the complexity of the password that will be generated. Intended for Login Agent Runtime Resource?: No – process terminates immediately Intended for Blue Prism Runtime Resource?: Yes Example Actions A Business Object, leveraged by the above processes, is provided that provides a set of example actions that can be used to achieve common authentication actions with the operating system such as Log In, Is Logged In, Log Out, Change Password, Lock Screen, Unlock Screen. Information regarding the Login Agent VBO and its actions can be found in the API documentation under Help > API Documentation. When overwriting existing versions of the Login Agent VBO, it is necessary to re-verify any processes that use the provided functionality. Commercial in Confidence Page 7 of 11 Advanced Installation and Configuration Updating or customising the Login Agent configuration The configuration of Blue Prism Login Agent service which is responsible for initialising the Login Agent Runtime Resource is stored within a local configuration file: C:\ProgramData\Blue Prism Limited\Automate V3\LoginAgentService.config The workingdirectory element points to the installation directory for the Blue Prism software. The startuparguments element gives the arguments that will be used when launching the Login Agent Runtime Resource. Common start-up argument configuration changes include: • Updating the Blue Prism connection that the Login Agent Runtime Resource will use • Updating the port number that Login Agent Runtime Resource will listen on • Configuring the Login Agent Runtime Resource to apply certificate-based encryption • Adding custom parameters to be included in the start-up process of the Login Agent Runtime Resource Updating the Blue Prism connection to use The value of the connection name must be an exact match of the name of an existing Blue Prism connection on the local device.8181 If no connection is specified in the configuration file the first connection specified in Blue Prism client connection list on the local device will be used. Updating the port that the Login Agent Runtime Resource will listen on The listening port used by the Login Agent Runtime Resource is configured separately to the listening port that will be used by the Runtime Resource is used once the device has been logged on. There is no requirement for the Login Agent Runtime Resource and the Blue Prism Runtime Resource to use the same port. Prod: Financial Services tag: 8181 Commercial in Confidence Page 8 of 11 Configuring the Login Agent Runtime Resource with certificate-based encryption Where the conventional Runtime Resources are configured to force encryption of incoming connections using a specified certificate (e.g. where the Runtimes are started using the /sslcert switch), it is necessary to manually apply the appropriate configuration to the Login Agent Runtime Resource. The startuparguments element within the configuration file can be updated to include the appropriate information: Prod: Financial Services Prod: Financial Services E.g. [Certificate Thumbprint] Prod: Financial Services Certificate-based encryption is only applied to the traffic received on the listening port. Encryption is applied separately to the connection that retrieves the credentials that will be used as part of the login process. Certificate-based encryption should only be applied to Login Agent Runtime Resources once the certificate has been applied and tested with a Blue Prism Runtime Resource Adding parameters to the start-up command Where it is necessary to add additional start-up command parameters to the Login Agent Runtime resource, they can be added in a similar fashion. For example, to add a DB password for a SQL Server authenticated database add the XML below before the closing fee449ee0e3965a5246f000e89fde2a065fd89d4 Commercial in Confidence Page 9 of 11 Troubleshooting Identifying Login Agent Runtime Resources in Control Room Applies to Login Agent 5.0.23 and above Login Agent Runtime Resources are shown using a dedicated icon within Control Room. When appropriately configured, the Login Agent Runtime Resource is started whenever the machine is in a pre-logged in state, and remains active until the device has been logged on and a conventional Blue Prism Runtime Resource has been started. The Login Agent Runtime Resource is automatically shut-down by the start-up of a Blue Prism Runtime Resource. Common Issues Common issues when trying to work with Login Agent include: • Incorrect configuration of security policies on the local device It is essential that the specified security policies have been disabled. These include disabling lock screens, disabling the requirement to press ctrl + alt + del prior to logging in; and disabling log-on messages such as usage access policy messages. Security policies and settings can be inherited from different sources (e.g. local settings on the machine; and centrally via group policy) and the policies that are actually applied on the local device must be verified. It is advisable to watch the boot-up procedure to ensure the user is not prompted for unexpected or unsupported input. • Incorrect configuration of the Login Agent Runtime Resource The configuration of the Login Agent Runtime Resource must be validated against the settings used for the conventional Runtime Resources. In particular, verify that the connection used is one that works within the Blue Prism client. Enable Logging for Login Agent Applies to Login Agent 5.0.23 and above Login Agent can be configured to generate diagnostic logs on a specific device by configuring the appropriate Registry key settings. For appropriate versions of Login Agent, the keys can be found within the Registry at the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Blue Prism Limited\LoginAgent • LogFileDir: specifies the location where the log file will be generated. • LogLevel: specifies the granularity of logs. 0: Disabled (default); 1: Error messages; 2: Debug messages; 4: Trace messages. For a combination of levels, the values can be added together. E.g. a value of 7 will provide error messages, debug messages and trace messages. Logging is only recommend while troubleshooting. It is necessary to reboot the device to apply registry setting changes. Resource stuck on error message: "Incorrect password or username" Applies to Login Agent versions prior to 5.0.23 When incorrect credential details are used as part of the log in process, the process can enter into a loop whereby it continually retries and receives a duplicate error message. In order to exit the loop, the target device should be restarted. Commercial in Confidence Page 10 of 11 Frequently Asked Questions What kind of Login does Login Agent orchestrate? Login Agent orchestrates a local interactive login on the target device. Once the interactive login has succeeded, it is expected that a conventional Blue Prism Runtime Resource will then be started (such as via a scheduled task or logon script) which will then be responsible for executing the automated processes which interact with the graphical user interface of locally installed applications. Why does ctrl + alt + del need to be disabled? Security policy controls such as requiring users to press ctrl + alt + del prior to providing login credentials, are specifically designed to require user input and to prevent programmatic logins onto a local device. It is therefore essential the listed security policies are appropriately disabled. Can the Login Agent Runtime Resource run any process? By default the Login Agent Runtime Resource operates under the context of a user with limited access to the operating system and therefore only a limited set of actions that can executed by a Login Agent Runtime Resource. Can an instruction be passed that orchestrates and login and then starts processing? The Log in actions are performed by a separate Runtime Resource to the on-going business as usual processing and therefore the instruction to Log in versus the instruction to execute business processes need to be sent separately to a Runtime Resource of an appropriate type. Where are the credentials used to orchestrate a login stored? The location of the credentials that are used to orchestrate a login will be defined within the process. The example processes provided by Blue Prism use credentials that are stored within Credential Manager. When using credentials stored in this way, they are encrypted and stored securely, and additionally transmitted over a secure connection by default. The Blue Prism Data Sheet – Credential Manager contains additional information. Can I modify the Log in process to select which credentials to use? By creating a custom process which orchestrates the log in, logic can be defined that will determine which credential to use. This could for example define which credential to use based on the device which is to be logged in; the time of day; the day of the week; which credentials are already in use; whether to use hard coded credentials, those stored using Credential Manager, or those stored in a third part system etc. Can Login Agent be used on virtualized Runtime Resources? In order to leverage Login Agent on Runtime Resources it is essential that the underlying virtualization technology supports third-party credential providers. What happens if a conventional Runtime Resource does not shut down the Login Agent Runtime Resource? When configured correctly, once a device running Login Agent has been logged in, a conventional Runtime Resource will start up and immediately instruct the Login Agent Runtime Resource to shut down. If however a conventional Runtime Resource does not start, the Login Agent Service is configured to automatically shut down a Login Agent Resource once the device has logged in. This prevents a Login Agent Runtime Resource from being available on a logged in device for a prolonged period of time. How can the callback connection be disabled for the Login Agent connection to the Blue Prism Server? When Login Agent Login Agent 5.032 (and above) it is configured to establish a connection to a Blue Prism Server, it is automatically configured to instruct the Blue Prism Server not to establish a callback connection. Commercial in Confidence Page 11 of 11 Password$123
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : No Page Count : 11 Language : en-GB Tagged PDF : Yes XMP Toolkit : 3.1-701 Producer : Microsoft® Word 2016 Title : Login Agent Creator : Kevin Whittingham Creator Tool : Microsoft® Word 2016 Create Date : 2017:08:23 09:00:55+01:00 Modify Date : 2017:08:23 09:00:55+01:00 Document ID : uuid:E7750BCA-B664-4736-8B9B-E1B20848BD0F Instance ID : uuid:E7750BCA-B664-4736-8B9B-E1B20848BD0F Author : Kevin Whittingham Keywords : Version:, 5.0.32.1EXIF Metadata provided by EXIF.tools