IDX10501: Signature validation failed. Unable to match key

What to do when accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests?

Issue description:

When accessing the Orchestrator and logging in an Unauthorized exception is displayed for various requests.
Exception occurred while processing message.Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match key:
kid: '[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
'[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details see https://aka.ms/IdentityModel/PII.]'.
at JwtSecurityToken System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token TokenValidationParameters validationParameters out SecurityToken validatedToken)
at ClaimsPrincipal Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateToken(string idToken AuthenticationProperties properties TokenValidationParameters validationParameters out JwtSecurityToken jwt)

Validation/Troubleshooting steps:

To validate the certificate:
  1. Shutdown all but one Orchestrator node.

2. Browse for https://ORCHESTRATOR/identity/.well-known/openid-configuration/jwks. The "kid" needs to match the THUMBPRINT in the appsettings.Production.json and should be the same across all servers.

image.png

Resolution:

  • Ensure the correct certificate is imported to the Personal and Trusted root folder of the certificate manager on all nodes - Importing the SAN Self-Signed Certificate to Other Machines
  • Ensure the "IdentityServerAddress" matches in the Apsettings.Production.Json file on all Orchestrator nodes
  • Update the appsettings.Production.json and use the same Certificate Thumbprint on each Orchestrator node.

Example:

"AppSettings": {
"IdentityServerAddress": "https://ORCHESTRATOR/identity",
"SigningCredentialSettings": {
"StoreLocation": {
"Name": "THUMBPRINT",
"Location": "LocalMachine",
"NameType": "Thumbprint"