What to do when accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests?
Issue description:
When accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests.Exception occurred while processing message.Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
'[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
at JwtSecurityToken System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token TokenValidationParameters validationParameters out SecurityToken validatedToken)
at ClaimsPrincipal Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(string idToken AuthenticationProperties properties TokenValidationParameters validationParameters out JwtSecurityToken jwt)
kid: '[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
'[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
at JwtSecurityToken System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token TokenValidationParameters validationParameters out SecurityToken validatedToken)
at ClaimsPrincipal Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(string idToken AuthenticationProperties properties TokenValidationParameters validationParameters out JwtSecurityToken jwt)
Validation/Troubleshooting steps:
To validate the certificate:-
Shutdown all but one Orchestrator node.
2. Browse for https://ORCHESTRATOR/identity/.well-known/openid-configuration/jwks. The "kid" needs to match the THUMBPRINT in the appsettings.Production.json and should be the same across all servers.
Resolution:
- Ensure the correct certificate is imported to the Personal and Trusted root folder of the certificate manager on all nodes - Importing the SAN Self-Signed Certificate to Other Machines
- Ensure the "IdentityServerAddress" matches in the Apsettings.Production.Json file on all Orchestrator nodes
- Update the appsettings.Production.json and use the same Certificate Thumbprint on each Orchestrator node.
Example:
"AppSettings": {
"IdentityServerAddress": "https://ORCHESTRATOR/identity",
"SigningCredentialSettings": {
"StoreLocation": {
"Name": "THUMBPRINT",
"Location": "LocalMachine",
"NameType": "Thumbprint"