How To Add Application Pool User To Certificate Private Key

News Knowledge Base
, , , , , , , , , , , , , ,
1

How to add Application Pool User to Certificate Private Key?

Issue Description: After installation of Orchestrator 20.4 and later , on trying to logon error is seen Internal Server error

Alternatively, there may just be an internal error that says "Specified file does not exist".

Also consider checking the event viewer logs. The following error could be encountered : 2020-06-23 10:22:11.5619 UiPath.IdentityServer.Web.Middleware.ExceptionHandlingMiddleware An error has occurred. WindowsCryptographicException*The system cannot find the file specified.* at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions) at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider)

Identity token signing certificate does not have a private key.

image.png




Resolution: During and after Orchestrator installation, private key related errors will show up if the application pool user is not added to the signed certificate private key. These are the steps to do so.

  • Manually
  1. Check the certificate which is used in Orchestrator website bindings.
  2. Go to Windows -> type "run" -> mmc
  3. Once the mmc window is up-> Add Snap-in -> Add certificate -> Local Computer
  4. Go to Personal -> Certificate -> Select the certificate which is used by Orchestrator website.
  5. Right Click Certificate -> All tasks -> Manage Private keys -> Add group "IIS_IUSRS"
  • Via Powershell Script
import-module WebAdministration $siteName = 'UiPath Orchestrator' $binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0] $certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)" $cert = Get-Item $certLoc $keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName $keyFullPath = $keyPath + $keyName $acl = (Get-Item $keyFullPath).GetAccessControl('Access') $permission="IIS_IUSRS","Full","Allow" $accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission $acl.AddAccessRule($accessRule) Set-Acl -Path $keyFullPath -AclObject $acl

Refer Identity Server Troubleshooting - Keyset Does Not Exist .
1 Like