Orchestrator Inaccessible after an Upgrade and Indefinitely Loading with a "/portal_/autherror"

News Knowledge Base
1

Why is the Orchestrator redirecting indefinitely and failing to load after the recent upgrade?

Issue description:

Sometimes, an issue might be experienced after an upgrade wherein the Orchestrator keeps loading indefinitely without throwing any specific errors and eventually becomes inaccessible.

This would appear something like the below:

image.png


Error:

  • An error in the following format can be seen in the address bar:
[OrchestratorURL]/portal_/autherror?error=Invalid%20response%20Content-Type:%20text/html,%20from%20URL:%20[OrchestratorURL]/identity/.well-known/openid-configuration.
  • The network trace would also show an "Invalid response".
  • Assessing a HAR trace, an "ERR_ABORTED" 500 error may be observed.

  • The application event logs on the Orchestrator Server may not be very descriptive of the root cause of the issue. However, in some cases, a generic error like the following may be encountered:


Diagnosis and Root Cause:

Since the error URL contains "identity/.well-known/openid-configuration", it potentially points to an issue with the Identity Server; more specifically, an IIS setting causing the Identity Server to fail. The Identity Server-specific configuration should be checked in the IIS.

  • Launch the IIS and open the Identity section:

  • Upon opening the "HTTP Response Headers", an error that points to the "X-Content-Type-Options" header and the "Identity\web.config" may be seen, as shown below:

  • The issue essentially occurs because the "X-Content-Type-Options" header which is already present in the applicationHost.config file (C:\Windows\System32\inetsrv\config) seems to be getting added to the Identity "web.config" (C:\Program Files (x86)\UiPath\Orchestrator\Identity) as well.

Elaborating the Root Cause:

  • The IIS server allows the site, application, directory, and file level configurations, meaning configurations like HTTP response headers can be set on multiple levels.
  • The root of the configuration hierarchy is the "applicationHost.config" file which contains server-wide configuration settings. For example, if a header like "X-Content-Type-Options" is set here, it applies to all applications/sites running on the server.
  • Besides, at the server-wide level, each web application like the Identity Server, has its own "web.config" file for application-level settings. The settings defined here apply only to the particular application.
  • When IIS processes a request, it computes the effective configuration settings by combining the server-wide settings from "applicationHost.config" with the application-specific settings from "web.config" defined in both.
  • To know more about the HTTP headers from a security standpoint, read the following: Addressing Concerns Regarding HTTP Security Headers.


Resolution:

  • Open the "web.config" file for the Identity Server by navigating to the Orchestrator's installation directory and opening the "Identity" folder inside the same. This would be "C:\Program Files (x86)\UiPath\Orchestrator\Identity" by default unless the installation is done in a custom location.
  • Open the "customHeaders" section and comment out or remove the "X-Content-Type-Options" header from the same file:
  • Reset the IIS.
  • Relaunch Orchestrator in a fresh browser and check if the issue is fixed.


Notes:

  • While troubleshooting, it is a good idea to check all the Identity settings in general, meaning that apart from the "HTTP Response Headers", also check other IIS settings to see if the issue could potentially lie in one of those instead. Accordingly, tackle the error.
  • Also consider checking the settings for other sites/subsites (Orchestrator, Webhooks, Resource Catalog) should the error point to the same.
  • Apart from the IIS settings, in a few cases, this issue has been associated with other scenarios. If the resolution elaborated above doesn't work, check the following items as well:
    • If all the URLs mentioned in this document have been configured correctly.
    • If the Orchestrator and Identity Certificate(s) have been configured correctly using these steps. Also consider running the Platform Configuration Tool to validate the same.
    • If the Orchestrator DNS/Hostname resolves in the domain. The Orchestrator certificate's 'Subject' or 'Subject Alternative Name' (SAN) essentially points to the DNS, which should be resolvable in your network domain.
    • If any recent patches were applied on the machine that could have potentially disrupted the IIS settings, causing this issue.