Web Authentication

Basic Engine Robots in Kofax RPA can use different authentication over a network. The authentication setting is specified under Credentials on the All Loading tab of the Default Options window. You can use either Standard or OAuth credentials. See OAuth for more information.

With the Standard Credentials option, Kofax RPA supports Basic, Digest, NTLM, and Negotiate protocols. For Windows systems, Kofax RPA uses the Security Support Provider Interface (SSPI) to provide security services to calling applications. For Unix, Kofax RPA uses the Generic Security Service API (GSS-API) libraries for Negotiate protocol and developed proprietary NTLM support implementation.

Your Linux installation must include Generic Security Service API (GSS-API) libraries to use cross-platform authentication. See "Dependencies and Prerequisites" section in the Kofax RPA Installation Guide for more information.

In case a user needs to have access to remote network resources, delegation must be set up to access those resources. For more information about setting up authentication and delegation rules, see Microsoft documentation at msdn.microsoft.com and support.microsoft.com.

Kofax RPA automatically detects the type of authentication during the login process and in most situations provides authentication parameters in the required format. For NTLM protocol, SPN (Service Principal Name) string is always as follows: HTTP/HostName:port. For Negotiate protocol, SPN may be with or without the port number.

In some cases you may need to explicitly provide authentication parameters for Negotiate protocol. You can do it either in the Authentication Method option on the All Loading tab of the Default Options in Basic Engine Robot Configuration dialog box or using the spn.txt file.

Specify Negotiate protocol parameters in the Default Options dialog box
  1. Open the Default Options dialog box from the Basic tab of the Robot Configuration window.
  2. Select Negotiate in the Authentication Method list and click Add (+). Configuration: Negotiate Authentication dialog box opens.
    • In the URL Host field, enter the address of the website you want to connect to in the form HTTP://<host name>:<port>/<page>, for example, http://localhost:123/index.html. Kofax RPA extracts the host name from the entered address, such as http://localhost:123. Note that <port> is an optional TCP port number you can use to specify a non-standard port number to differentiate between multiple instances of the same service on a single host computer. Ports 80 and 433 are omitted.
    • In the Server field, specify the name of the server/service in the form of a fully qualified domain name (FQDN). For example, localhost:123 or computer.global.companyname.com:1433.

    When Kofax RPA loads a website in the WebKit browser and a server initiates Negotiate protocol usage, WebKit tries to match the host name with parameters specified by the user in the URL Host field. If a match is found, WebKit constructs an SPN string in the following form: HTTP/Server. Where Server is the FQDN with an optional port parameter specified in the Server field. For example, HTTP/computer.global.companyname.com:1433

  3. Select Can Delegate if you want to turn on delegation usage for the specified account.
  4. Click Save.
Negotiate authentication for proxy

Negotiate authentication is also supported for use with proxy servers. You can configure to use a proxy server with Negotiate protocol using the spn.txt file (as shown later in this section) or in the configuration settings for a particular robot. If spn.txt is used, the configuration will be used across all robots.

Use spn.txt to set Negotiate protocol parameters

Create spn.txt adhering to the format described below and place the file in the Configuration folder of the Application Data folder, for example, C:\Users\user.name\AppData\Local\Kofax RPA\11.5.0.0\Configuration.

The file includes three parameters that can be specified independently.

spn.txt file format

Parameter

Description

Example

<host>:<port>::allow_port=[true|false]

Specifies whether to include port number in SPN.

false (default): Do not include port number

true: Include port number

localhost::allow_port=true

<host>:<port>::delegate=[true|false]

Turns on delegation usage for the specified account.

false (default): Do not use delegation

true: Use delegation

localhost::delegate=true

<host>:<port>=<FQDN>

Enter host name in the form of a fully qualified domain name (FQDN) of the server. This parameter overrides the allow_port parameter and Kofax RPA uses the exact string specified here.

localhost=COMPUTERNAME.companyname.com

When Negotiate protocol is used in the environment with multiple websites running on the same host name with different port numbers and using different application pool identities, you can set allow_port to true and specify a non-standard port for the SPN, for example:


  localhost:8888::allow_port=true

Also, it is possible to use port as a part of the mask to assign SPN server, such as localhost:8888=server:555.

Logging

If you encounter errors during web authentication, you can turn on WebKit logging in the log4j2.properties file as follows:

 logger.webkit.name = webkit
 logger.webkit.level = TRACE
The log file should contain information about used authentication properties and SPN string. Look for the following lines in the log file

Setting SPN to : 'Service Principal Name (SPN)' 
Delegate : [ON|OFF] 
Non-standard port : [ON|OFF]
Setting NTLM SPN to : 'SPN string'

See Logging for details.