By default, in Orchestrator, the [NTLM authentication protocol][1] is used when logging in with your Active Directory credentials.
[1]: https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff647076(v=pandp.10)#ntlm-authentication

To switch to [Kerberos][2], you are required to switch the application pool to NetworkService and register the Service Principal Name (SPN) which exists in the Active Directory for the domain account used to run the service with which the client is authenticating.
[2]: https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff647076(v=pandp.10)#kerberos-authentication

To perform this change, perform the following steps:

1. Open the Command Prompt.
2. Change the directory to C:\Windows\System32, by using the cd C:\Windows\System32 command.
3. Give the setspn.exe -a https://<machine> <domain account> command, where:
   • https://<machine> - represents the URL at which your Orchestrator instance is reachable, such as https://DocOrch.uipath.local;
   • <domain account> - represents the name or domain\name of the machine on which Orchestrator is installed, or the user account, such as docteam or uipath.local\docteam.

To check that Kerberos is used:

1. Log in to Orchestrator using AD credentials.
2. Open Event Viewer.
3. Look for the Microsoft Windows security audit and select it. Details about the action are updated on the General tab.
4. Under the Detailed Authentication Information section, the Logon Process should be Kerberos, as displayed in the following screenshot.