After Changing The Admin's Password For A Tenant, User Can Not Login

Why the User cannot login to Orchestrator, even if the password for the Admin was reset?

Issue Description: After resetting the password for the Admin user using the following SQL query, it is not possible to log in with the new password 3edcVFR$.

UPDATE [identity].[AspNetUsers]

Set PasswordHash='AK3FINpqU/VzL+c+VL8mbk9wH35Y22bnTnGlLcAq8KKNqj2pN+3bv0+V0qoSKLIANg==',

IsFirstLogin = 1

where UserName='admin' and id=(select [key] from dbo.users where UserName='admin' and TenantId= {Specilfy the tenantId for which you want to resest the password. To be able to see the related tenant id for each tenant you have, you can check in the tenants table (select *from dbo.Tenants) })

When Admin user tries to login to Orchestrator , the below error message is displayed:

  • "Invalid credentials (#MTI_7)"
1.jfif

Another error message is displayed if the user tries to use the “Forgot Password” option:

  • “The provided partition is invalid. (#MTI_1)”

2.jfif

Resolution: In order to identify the root cause of the issue, check the logs in the Event Viewer.

Event viewer logs are where windows stores system logs. They can sometimes show more detailed error messages then those that are typically shown to the user.

If the below error occurs:

Authentication failedMicrosoft.IdentityModel.Tokens.SecurityTokenInvalidSigningKeyException: IDX10249: X509SecurityKey validation failed. The associated certificate has expired. ValidTo (UTC): 'System.DateTime', Current time (UTC): 'System.DateTime'.

at void Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)

at void System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuerSecurityKey(SecurityKey key, JwtSecurityToken securityToken, TokenValidationParameters validationParameters)

at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)

at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken)

at async Task<AuthenticateResult> UiPath.Orchestrator.Security.Auth.IdentityUser.IdentityUserAccessTokenAuthenticationHandler.HandleAuthenticateAsync()

Then there is an issue with the certificate and that means that the Orchestrator is not able to communicate with Identity, hence unable to get the credentials.

Perform the below steps

  1. Renew the client certificate
  2. Login with a domain administrator account
  3. Windows start menu and type run (or Windows-key + R)
  4. Type “mmc” and press enter
  5. File > Add/Remove Snap-In
  6. Double click on “Certificates”
  7. Choose “Computer account” and click Next
  8. Choose “Local Computer: (the computer this console is running on) and click Finish
  9. Click on ok to add the Certificates Snap-In
  10. Expand Certificates > Personal > Certificate on the left panel
  11. Right-click on the client certificate (Intended Purposes: Client Authentication)
  12. Navigate to All Tasks > advanced Operations > renew this certificate with the same key (if your domain CA doesn’t accept this action, choose the request certificate option with the same key or new key)
  13. Double click the certificate and change the register to “Details” and scroll down to “Thumbprint”
  14. Now open Windows Explorer and navigate to “<UiPath Orchestrator installation folder>\Identity” and open the file “appsettings.Production.json” with an editor like Notepad
  15. Make sure that the “Name” value in the “AppSettings” category is set to the “Thumbprint” of the new certificate (without blanks)
  16. Open the IIS Manager
  17. On the left panel click on the servername entry (!NOT! the website entry)
  18. Click on the right panel “Restart” in the “Actions” section

1 Like

A post was split to a new topic: Getting “Invalid credentials (#MTI_7)” error, post changing the Admin password for a Tenant

Also, you may have an issue like:

2022-08-11 12:22:19.5183 UiPath.IdentityServer.Application.OrchestratorService.OrchestratorClient Cannot get tenant from Orchestrator with tenant string(name/global ID) Default.
HttpRequestExceptionNo connection could be made because the target machine actively refused it. (127.0.0.1:8888) at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)

Cause: In my case, I had a proxy in place from Fiddler that scanned my traffic and was not allowed to connect to the Identity server.

– In Orchestrator 2022.4.1, after executing the below query, the password for the impacted user admin_dummy will be in the end 890iop

declare @tenantName nvarchar(max) = 'Default'
declare @username nvarchar(256) = 'admin_dummy'
UPDATE [uipath].[identity].[AspNetUsers]
Set PasswordHash='ALWTidnzgaDN04zwfIjlx3ogbXNNer7/QbO9y3Q4LV/MLY+2TaazMLEggpO8/b7/Kg==',
IsFirstLogin = 1
where
Id = (SELECT anu.Id
FROM [uipath].[identity].[AspNetUsers] anu
join [uipath].[identity].[Partitions] p on p.Id = anu.MasterPartitionId
join [uipath].[identity].[Tenants_Deprecated] t on t.[PartitionId] = p.Id
where UserName =  @username
and t.[Name] = @tenantName
)