Why the User cannot login to Orchestrator, even if the password for the Admin was reset?
After resetting the password when an user tries to login to Orchestrator, the below error message is displayed:
- "Invalid credentials (#MTI_7)"
Another error message is displayed if the user tries to use the “Forgot Password” option:
- “The provided partition is invalid. (#MTI_1)”
Resolution:
In order to identify the root cause of the issue, check the logs in the Event Viewer.
Event viewer logs are where windows stores system logs. They can sometimes show more detailed error messages then those that are typically shown to the user.
If the below error occurs:
Authentication failedMicrosoft.IdentityModel.Tokens.SecurityTokenInvalidSigningKeyException: IDX10249: X509SecurityKey validation failed. The associated certificate has expired. ValidTo (UTC): 'System.DateTime', Current time (UTC): 'System.DateTime'.
at void Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
at void System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuerSecurityKey(SecurityKey key, JwtSecurityToken securityToken, TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
at async Task UiPath.Orchestrator.Security.Auth.IdentityUser.IdentityUserAccessTokenAuthenticationHandler.HandleAuthenticateAsync()
The error shows that there is an issue with the certificate and that means that the Orchestrator is not able to communicate with Identity, hence unable to get the credentials.
Perform the below steps
- Renew the client certificate
- Login with a domain administrator account
- Windows start menu and type run (or Windows-key + R)
- Type “mmc” and press enter
- File > Add/Remove Snap-In
- Double click on “Certificates”
- Choose “Computer account” and click Next
- Choose “Local Computer: (the computer this console is running on) and click Finish
- Click on ok to add the Certificates Snap-In
- Expand Certificates > Personal > Certificate on the left panel
- Right-click on the client certificate (Intended Purposes: Client Authentication)
- Navigate to All Tasks > advanced Operations > renew this certificate with the same key (if your domain CA doesn’t accept this action, choose the request certificate option with the same key or new key)
- Double click the certificate and change the register to “Details” and scroll down to “Thumbprint”
- Now open Windows Explorer and navigate to “\Identity” and open the file “appsettings.Production.json” with an editor like Notepad
- Make sure that the “Name” value in the “AppSettings” category is set to the “Thumbprint” of the new certificate (without blanks)
- Open the IIS Manager
- On the left panel click on the servername entry (!NOT! the website entry)
- Click on the right panel “Restart” in the “Actions” section