Our Orchestrator SSL cert was expired. We had to renew the expired cert and update our Orchestrator config file with the thumbprint from the cert.
I Understand you are getting the error “Get Asset: You are not authenticated! Error code: 0” after an upgrade. Please find below a step by step guide on how to troubleshoot this issue.
- The most common cause of this issue is that the Signing certificate for the Identity Server is expired. Typically this arises when the same certificate was configured for SSL and signing. The SSL certificate is updated when it expires, but the reference the Identity Server has to the SSL certificate was never updated.
- Open C:\Program Files (x86)\UiPath\Orchestrator\Identity\appsettings.Production.json
- Look for the certificate thumbprint section
- Open certlm.msc
- Go to the personal node and check to see which certificate contains the given thumbprint
- If the thumbprint is for an expired certificate, see the section ‘Update Signing Certificate’
- If the signing certificate is not expired, then there is some other configuration issue with the Identity Server and Orchestrator. By default Orchestrator will hide the specific error. This is a security measure (For more details see the section: Why the Configuration Error is Hidden). To expose the error, do the following:
- Enable PII needs to be set for true in both the UiPath.Orchestrator.dll.config and the appsettings.production.json
- After the two settings are enabled, recycle the Orchestrator and Identity Server application pool or from the command line execute: iisreset
- iisreset will stop the application temporarily and will cause a few seconds of downtime
- Recycling the app pool should not cause downtime
- Next, reproduce the issue and then check the Orchestrator Event Viewer logs. There should be more information about the issue. If unsure what the error means, please share it with UiPath Support.
Update Signing Certificate
In most environments, the Identity Server is using the same certificate for signing tokens that is used for its and Orchestrators SSL bindings. If this is not the case, then before proceeding, make sure that the Signing certificate is installed in the Personal node for the computer account.
- Find the thumbprint of the Orchestrator certificate
- In IIS go to that UiPath Orchestrator site
- On the right side, select ‘Bindings…’
- Select the binding and then click ‘Edit…’
- In the menu that pops up, select ‘View…’ and the lower left of the window. This will show the certificate used to bind the port for HTTPS encryption (the SSL certificate)
- In the Certificate window, go to the Details tab
- Find the thumbprint information. Copy this thumbprint
Note: For Windows 2016 and below, the thumbprint has a breaking hidden character. Make sure to remove it. See step 5 in Setting Orchestrator/ Identity Server to Use the Certificate
- Before switching the certificate make sure that the Identity Server application pool has access to the private key.
- Open certlm.msc
- Under the Personal node, find the new the certificate with the matching thumbprint
- Right click->All Tasks->Manage Private Keys
- Click Add
- Change the location to the current computer.
- Add the user ‘IIS APPPOOL\Identity’ and give the user Full control and Read
- Use the thumbprint to run the Platform Configuration Tool :
- The command to run is: C:\Program Files (x86)\UiPath\Orchestrator\Tools\UiPath.Platform.Configuration.Tool\Platform.Configuration.Tool.ps1 UpdateUiPathCertificate -NewTokenSigningThumbprint -SiteName UiPathOrchestrator
- Verify that the issue no longer occurs.
Why the Configuration Error is Hidden
The OpenId Connect protocol is very common and allows for applications to use third parties for authentication. For example on cloud.uipath.com the option of using Google, Microsoft or LinkedIn as the authentication source is offered. All of this is possible by using the OpenId Connect protocol.
When authenticating via a third party it is normal to disable any authentication errors by default. This is done to protect PII data (Personal Identifiable Information) which may be present in the error from being exposed.
While the Identity Server and Orchestrator do not quite represent a third party situation where PII data needs to be hidden, this functionality is still part of the underlying framework and it is hidden by default. If desired, the keys to enable the exposure of the error can remain enabled.
Please let me know if this solves the issue, I’ll be happy to help if you need further assistance!