How to handle the error "You are not authenticated!" obtained with Get Asset activity with UiPath.System.Activities 2022.10 +versions ?

Troubleshooting Steps:

1. The most common cause of this issue is that the Signing certificate for the Identity Server is expired. Typically this arises when the same certificate was configured for SSL and signing. The SSL certificate is updated when it expires, but the reference the Identity Server has to the SSL certificate was never updated.
   • Open C:\Program Files (x86)\UiPath\Orchestrator\Identity\appsettings.Production.json
   • Look for the certificate thumbprint section
   • Open certlm.msc
   • Go to the personal node and check to see which certificate contains the given thumbprint
   • If the thumbprint is for an expired certificate, see the section 'Update Signing Certificate'
2. If the signing certificate is not expired, there is a different configuration issue with the Identity Server and Orchestrator. By default, Orchestrator will hide the specific error. This is a security measure (For more details see the section: Why the Configuration Error is Hidden). To expose the error, do the following:
   • Enable PII needs to be set for true in both the UiPath.Orchestrator.dll.config and the appsettings.production.json
     • For the Identity Server, read more on the Additional Information in Logs
     • For Orchestrator, read more on ExternalAuth. Show PII
   • After the two settings are enabled, recycle the Orchestrator and Identity Server application pool or from the command line execute: iisreset
     • iisreset will stop the application temporarily and will cause a few seconds of downtime
     • Recycling the app pool should not cause downtime
   • Next, reproduce the issue and then check the Orchestrator Event Viewer logs. There should be more information about the issue. If unsure what the error means, please share it with UiPath Support.

Update Signing Certificate

In most environments, the Identity Server uses the same certificate for signing tokens that are used for its and Orchestrator's SSL bindings. If this is not the case, then before proceeding, make sure that the Signing certificate is installed in the Personal node for the computer account.

1. Find the thumbprint of the Orchestrator certificate
   • In IIS go to that UiPath Orchestrator site
   • On the right side, select 'Bindings...'
   • Select the binding and then click 'Edit...'
   • In the menu that pops up, select 'View...' and the lower left of the window. This will show the certificate used to bind the port for HTTPS encryption (the SSL certificate)
   • In the Certificate window, go to the Details tab
   • Find the thumbprint information. Copy this thumbprint
   • Note: For Windows 2016 and below, the thumbprint has a breaking hidden character. Make sure to remove it. See step 5 in Setting Orchestrator/ Identity Server to Use the Certificate
2. Before switching the certificate make sure that the Identity Server application pool has access to the private key.
   • Open certlm.msc
   • Under the Personal node, find the new certificate with the matching thumbprint
   • Right click->All Tasks->Manage Private Keys
   • Click Add
   • Change the location to the current computer.
   • Add the user 'IIS APPPOOL\Identity' and give the user Full control and Read
3. Use the thumbprint to run the Platform Configuration Tool :
   • The command to run is: C:\Program Files (x86)\UiPath\Orchestrator\Tools\UiPath.Platform.Configuration.Tool\Platform.Configuration.Tool.ps1 UpdateUiPathCertificate -NewTokenSigningThumbprint -SiteName UiPathOrchestrator
4. Verify that the issue no longer occurs.

Why the Configuration Error is Hidden

The OpenId Connect protocol is very common and allows applications to use third parties for authentication. For example on cloud.uipath.com the option of using Google, Microsoft or LinkedIn as the authentication source is offered. All of this is possible by using the OpenId Connect protocol.

When authenticating via a third party it is normal to disable any authentication errors by default. This is done to protect PII data (Personal Identifiable Information) which may be present in the error from being exposed.

While the Identity Server and Orchestrator do not quite represent a third-party situation where PII data needs to be hidden, this functionality is still part of the underlying framework and it is hidden by default. If desired, the keys to enable the exposure of the error can remain enabled.

Another Troubleshooting Step
The issue can also be related to how the Robot is authenticating to Orchestrator. When running a fiddler trace on the package housing uipath.systems.activity version 20.4.0, you may see the authentication is done via the "old method". The Robot was using the Robot key authentication - Authorization: UiRobot . We had to remove Studio API activities (There is a bug where it causes the wrong authorization to be used) and then upgrade the uipath.system.activities.

Another workaround would be to disable the user licensing in Orchestrator (this is not recommended due to having to specifically allocate licenses).

It would be great if these KB updates could be hidden from the “latest topics” list. Now I can’t see any of the discussions, they’re all pushed way down the list.