Orchestrator Login Returns Error : Contact your administrator to request access (#214)

How to resolve the error received during login to Orchestrator : You don’t have permissions to access Orchestrator in this tenant. Contact your administrator to request access. (#214) ?

Issue Description : At login to Orchestrator, error is returned " You don’t have permissions to access Orchestrator in this tenant. Contact your administrator to request access. (#214) "

1.png

Root Cause : This happens when a user tries to access a tenant that it does not have access to but that it does have an account on. Causes could be:

  1. Tenant was recently deleted and re-created but cleanup has not completed.
  2. The user does not have the web login permission but has an account for that tenant.
  3. This can happen after upgrading to 20.10+ and using Windows Integrated Authentication for access.

Diagnosing / Resolving

  1. Check to see if the user account has the web login permission.
    • Read more on the User Details
    • In the user page, select the user->edit and in the 'User Details' page, check if 'Allow Web Login' is checked.
    • If it is not, enable it.
  2. Check the event viewer logs of Orchestrator
    • eventvwr->Application (we have KBs for how to check the event viewer logs)
    • Look for errors from the Orchestrator source around the time the issue occurred.
    • Check to see if something like the following is present
      • Cannot create external login for S-1-5-XXXXXXXXXXXXXXXXXUiPath.Orchestrator.Core.Exceptions.BusinessConflictException: Error code - 1028, Message - 'Email 'XXXXXXXX' is already taken.' at async Task UiPath.Orchestrator.Application.Users.UserService.CreateAsync(UserDto input, UserCreateContext context) at async Task Abp.Domain.Uow.UnitOfWorkInterceptor.InternalInterceptAsynchronous(IInvocation invocation) at async Task Abp.Domain.Uow.UnitOfWorkInterceptor.InternalInterceptAsynchronous(IInvocation invocation) at async Task Abp.Runtime.Validation.Interception.ValidationInterceptor.InternalInterceptAsynchronous(IInvocation invocation) at async Task UiPath.Orchestrator.Application.Provisioning.DirectoryProvisioner.ProvisionUserAsync(DirectoryUserDto directoryUser) at async Task UiPath.Orchestrator.Application.Provisioning.DirectoryProvisioner.LoginUserAsync(string domain, string identifier) at async Task UiPath.Orchestrator.Security.Auth.Common.UserMapping.DirectoryUserMapper.MapLoginAsync(string domain, string identifier, string tenancyName)
    • If the above is present, it means that the User exists as a local user in Orchestrator. This can be checked by looking at the User in Orchestrator. If a user is a directory user, there user name will look like: userName@ (i.e. robot@uipath)
    • The error is thrown because Orchestrator thinks it has to create the user and fails, resulting in the login error.
    • To fix this, see Converting Local AD Users into Directory Users
  3. If the tenant was recently deleted try doing an IISReset as an Admin from the command line (cmd->iisreset). Alternatively, wait sometime. After a certain period a quartz cron job will clean up the tenant.