After installing a new certificate, I can't log in to the orchestrator

111963 · May 11, 2023, 12:35pm

Good afternoon.
After installing a new certificate, the orchestrator refuses to log in to the account and issues an error (Invalid credentials (#MTI_7)). Installed the mmc certificate and placed the fingerprint in appsettings.Production.json. After I restarted IIS, and access to the orchestrator disappeared. Please help me figure out what the reason is, tech support refused to help.

Thank you very much.

Srini84 · May 11, 2023, 1:07pm

@111963

Any reason why the tech support rejected to help?
Is that UiPath tech support? Also you can check for EventViewer of the orchestrator server to see the error logs you are facing

Thanks,
Srini

111963 · May 11, 2023, 2:26pm

No, they just wrote: We have received your support request. This notification is intended to inform you that Ui Path can no longer provide support services. No exceptions will be made. Thank you for your understanding.
The main error in the EventLog:
2023-05-11 15:38:07.2239 UiPath.IdentityServer.Web.Middleware.ExceptionHandlingMiddleware The system cannot find the file specified.
WindowsCryptographicExceptionThe system cannot find the file specified. at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func2 createCsp, Func2 createCng)
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate1 matchesConstraints) at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey() at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus() at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures) at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures, Boolean cacheProvider) at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm, Boolean cacheProvider) at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token) at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService) at IdentityServer4.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) at UiPath.IdentityServer.Web.Middleware.ScaleUnitRoutingMiddleware.InvokeAsync(HttpContext httpContext) at UiPath.IdentityServer.Web.Middleware.OrgLevelIssuerMiddleware.InvokeAsync(HttpContext httpContext, ITargetedFeatureFlagService targetedFeatureFlagService, IOptionsSnapshot1 appSettings)
at UiPath.IdentityServer.Web.Middleware.PublicOriginMiddleware.Invoke(HttpContext context)
at UiPath.IdentityServer.Web.Middleware.ExceptionHandlingMiddleware.InvokeAsync(HttpContext httpContext)

JithinKP · July 3, 2023, 9:46am

Hi @111963 ,
Seems like the updated certificate might not have a keyset for the IIS App-Pool user. This often happens when you import/install a new certificate.

Please follow the below steps. Also make sure to perform an IISREST in cmd prompt after executing these steps:

Check the certificate which is used in Orchestrator website bindings.
Go to Windows → type “run” → mmc
Once the mmc window is up-> Add Snap-in → Add certificate → Local Computer
Go to Personal → Certificate → Select the certificate which is used by Orchestrator website.
Right Click Certificate → All tasks → Manage Private keys → Add group “IIS_USRS”*

*Note: It is possible that the group may be named “IIS_IUSRS” and can be located on your local machine instead of the domain. Please verify location when adding the group.

Let us know if it helps.

Topic		Replies	Views
The uipath Orchestrator Host can log in, but tenants cannot log in - Invalid credentials (#MTI_7) and The provided partition is invalid. (#MTI_1) Orchestrator question	6	775	November 15, 2023
Upgrading UIPath Orchestrator from 2020.4.1 to 2021.10.3 Fails Orchestrator orchestrator	3	1400	July 10, 2023
Certification Issue_098 Orchestrator orchestrator , question	2	841	March 30, 2023
Orchestrator Becomes Inaccessible as Certificate Errors Out with Exception "No keys found for certificate!" Knowledge Base orchestrator	0	30	January 3, 2025
UiPath Webpage is loading but login page not showing Orchestrator orchestrator , question	1	187	May 24, 2024

After installing a new certificate, I can't log in to the orchestrator

Related topics