The uipath Orchestrator Host can log in, but tenants cannot log in - Invalid credentials (#MTI_7) and The provided partition is invalid. (#MTI_1)

We just updated the license in Orchestrator, but found that both the previously created tenant and the tenant created after updating the license cannot log in to Orchestrator. Is there a solution to this?

Attempting to modify the password also results in an error prompt.

You created a custom tenant named Test?

Did you check this article ?

Or just use the Forgot your password.

Hi Marian,
Our UiPath Ochetrator version is 2021.10.0. and we use the guide and execute the sql to reset default tenant 's admin account to 890iopqa ,but it is not work. I also used the forget password function, but it prompted me that the partition is invalid.Is it possible that it was caused by other reasons. Thanks.

During and after Orchestrator installation, private key related errors will show up if the application pool user is not added to the signed certificate private key. These are the steps to do so.

  • Manually
  1. Check the certificate which is used in Orchestrator website bindings.
  2. Go to Windows → type “run” → mmc
  3. Once the mmc window is up-> Add Snap-in → Add certificate → Local Computer
  4. Go to Personal → Certificate → Select the certificate which is used by Orchestrator website.
  5. Right Click Certificate → All tasks → Manage Private keys → Add group “IIS_IUSRS”
  6. Open cmd.exe as Administrator and run iisreset command.
  • Via Powershell Script

import-module WebAdministration $siteName = ‘UiPath Orchestrator’ $binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0] $certLoc = “cert:\LocalMachine\MY$($binding.Thumbprint)” $cert = Get-Item $certLoc $keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys" $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName $keyFullPath = $keyPath + $keyName $acl = (Get-Item $keyFullPath).GetAccessControl(‘Access’) $permission=“IIS_IUSRS”,“Full”,“Allow” $accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission $acl.AddAccessRule($accessRule) Set-Acl -Path $keyFullPath -AclObject $acl

  • “The provided partition is invalid. (#MTI_1)”


Resolution: In order to identify the root cause of the issue, check the logs in the Event Viewer.

Event viewer logs are where windows stores system logs. They can sometimes show more detailed error messages than those that are typically shown to the user.
If the below error occurs:
Authentication failedMicrosoft.IdentityModel.Tokens.SecurityTokenInvalidSigningKeyException: IDX10249: X509SecurityKey validation failed. The associated certificate has expired. ValidTo (UTC): ‘System.DateTime’, Current time (UTC): ‘System.DateTime’.
at void Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerSecurityKey(SecurityKey securityKey, SecurityToken securityToken, TokenValidationParameters validationParameters)
at void System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuerSecurityKey(SecurityKey key, JwtSecurityToken securityToken, TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at ClaimsPrincipal System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
at async Task UiPath.Orchestrator.Security.Auth.IdentityUser.IdentityUserAccessTokenAuthenticationHandler.HandleAuthenticateAsync()

Then there is an issue with the certificate and that means that the Orchestrator is not able to communicate with Identity, hence unable to get the credentials.

Perform the below steps:

  1. Renew the client certificate
  2. Login with a domain administrator account
  3. Windows start menu and type run (or Windows key + R)
  4. Type “mmc” and press enter
  5. File > Add/Remove Snap-In
  6. Double click on “Certificates”
  7. Choose “Computer account” and click Next
  8. Choose “Local Computer: (the computer this console is running on) and click Finish
  9. Click on ok to add the Certificates Snap-In
  10. Expand Certificates > Personal > Certificate on the left panel
  11. Right-click on the client certificate (Intended Purposes: Client Authentication)
  12. Navigate to All Tasks > advanced Operations > renew this certificate with the same key (if your domain CA doesn’t accept this action, choose the request certificate option with the same key or new key)
  13. Double click the certificate and change the register to “Details” and scroll down to “Thumbprint”
  14. Now open Windows Explorer and navigate to “\Identity” and open the file “appsettings.Production.json” with an editor like Notepad
  15. Make sure that the “Name” value in the “AppSettings” category is set to the “Thumbprint” of the new certificate (without blanks)
  16. Open the IIS Manager
  17. On the left panel click on the server name entry (!NOT! the website entry)
  18. Click on the right panel “Restart” in the “Actions” section

Thanks Marian. We manually updated the certificate and it works. The problem has been resolved. Thanks very much for your support again,

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.