This is an attempt to clone an Orchestrator instance. For this I have copied the Orchestrator source database and ran a new Orchestrator installation on a new machine against the database copy. I have run my Orchestator installation using the below method. The method was suggested to me by the UiPath (AI) assistant before I submitted a support case to UiPath.
Generate a parametersFile.json file on the current Orchestrator machine with the Generate-ParametersFile.ps1 script and copy it to the new machine
Copy the UiPath.Orchestrator.dll.config file to the new machine
Run UiPathOrchestrator.msi from the command line like this “PS C:\script\UiPath> .\UiPathOrchestrator.msi SECONDARY_NODE=1 PARAMETERS_FILE=ParametersFile.json /passive”.
Put the files, including the msi, in the same folder. (I put them in C:\script\UiPath)
Before running UiPathOrchestrator.msi I had updated the parametersFile.json and UiPath.Orchestrator.dll.config to point to the database copy of the source database.
So, now I have an installed Orchestrator running against a fully populated database. However, I get the below error message in the web browser for the login page https:///identity/
“Error while contacting partition service to validate the organization (#503)”.
From consulting ChatGPT I have understood that the partition service is a tenant validating component within the Identity Server.
Does anyone of you have an idea how to solve this error message problem?
Sorry, the order of these two steps were of course:
Put the files, including the msi, in the same folder. (I put them in C:\script\UiPath)
Run UiPathOrchestrator.msi from the command line like this “PS C:\script\UiPath> .\UiPathOrchestrator.msi SECONDARY_NODE=1 PARAMETERS_FILE=ParametersFile.json /passive”.
Yes, the “OrchestratorUrl”: setting is updated in the Identity Servers appsettings.Production.json file to the new Orchestrator. The issue is still present though.
Looking at the logs it indicates a problem in the communication between Identity Server and Orchestrator. Orchestrator seems to not accept the token that Identity Server sends.
2025-05-10 11:50:05.9757|ERROR|UiPath.Orchestrator.Security.Auth.IdentityUser.IdentityUserAccessTokenAuthenticationHandler|Authentication failed
2025-05-10 11:50:06.0310|INFO|UiPath.Orchestrator.Security.Auth.IdentityOAuth.IdentityOAuthAccessTokenAuthenticationHandler|Audience for token is invalid. IDX10214: Audience validation failed. Audiences: ‘[PII of type ‘System.String’ is hidden. For more details, see Search - Microsoft Bing]’. Did not match: validationParameters.ValidAudience: ‘[PII of type ‘System.String’ is hidden. For more details, see Search - Microsoft Bing]’ or validationParameters.ValidAudiences: ‘[PII of type ‘System.String’ is hidden. For more details, see Search - Microsoft Bing]’.
From EventViewer I’ve found this at roughly the same timestamp. Excerpt:
2025-05-10 11:50:06.0452 UiPath.IdentityServer.Web.Middleware.ExceptionHandlingMiddleware Error while contacting partition service to validate the organization
PartitionLookupException Got exception while deserializing response from OrchestratorClient:GetTenantsAsync. Error details: OrchestratorClient:GetTenantsAsync returns unexpected status code: Unauthorized at UiPath.IdentityServer.Application.OrchestratorService.OrchestratorClient.GetTenantAsyncHelper(Guid tenantKey, String tenantName)
at UiPath.IdentityServer.Application.OrchestratorService.OrchestratorClient.GetTenantAsync(String name)
at UiPath.IdentityServer.Application.Services.OrchestratorBasedPartitionLookupService.GetPartitionByNameAsync(String name)
at UiPath.IdentityServer.Application.Services.AuthenticationInformationService.GetOrganizationProvidersAsync(String organizationName)
at UiPath.IdentityServer.Web.Controllers.API.AuthenticationInformationController.GetAuthenticationProviders(String organizationName)
at lambda_method410(Closure , Object )
…
but the PII data has not shown up yet in the log file and no events have been logged to Event Viewer. Also ChatGPT instructed me to set this Windows system environment variable:
Haven’t written here for almost two weeks but things have happened with this problem. I managed to unhide the PII data with this entry in UiPath.Orchestrator.dll.config.
<add key="ExternalAuth.ShowPII" value="true" />
With the data visible the error message looked like this:
2025-05-13 17:39:52.9478|ERROR|UiPath.Orchestrator.Security.Auth.IdentityUser.IdentityUserAccessTokenAuthenticationHandler|Authentication failed
2025-05-13 17:39:54.0222|INFO|UiPath.Orchestrator.Security.Auth.IdentityOAuth.IdentityOAuthAccessTokenAuthenticationHandler|Audience for token is invalid. IDX10214: Audience validation failed. Audiences: ‘OrchestratorApiUserAccess’. Did not match: validationParameters.ValidAudience: ‘UiPath.Orchestrator’ or validationParameters.ValidAudiences: ‘null’.
I showed this mismatch to UiPath support but they showed no interest in investigating why it had happened or what configuration causing it. Instead I had to solve it all on my own. What I did was to change Orchestrators expectation of the audience after what the token contained. Solved it by this change in UiPath.Orchestrator.dll.config.
After this I could log in to the Orchestrator Web.
I still want to find out why this mismatch occurred and what configuration causing it. In my other Orchestrator environment, the source for the new one, I don’t have it.
I really would like to know how the audience claim in Identity Server tokens are determined. What is the source for the audience in the token, is it some setting in Identity Servers configuration files or is it some entry in the Identity schema tables in the database? (How is the audience derived?)