Subscribe

UiPath Installation and Upgrade

The UiPath Installation and Upgrade Guide

Identity Server Troubleshooting

Viewing Additional Information in Logs

There may be situations when Identity Server throws error messages containing sensitive information. For example, if the certificate used to sign the access tokens generated by the Identity Server is a public key on 1024 bits, instead of 2048 bits, you'll receive the following error message when trying to login to a freshly installed or upgraded Orchestrator tenant:
InternalServerError - IDX10630 The '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'

To enable the logging of sensitive information such as certificate public keys or hidden PII (personally identifiable information), update the following setting in the Identity Server's appsettings.Production.json file, within your existing AppSettings section:

"AppSettings": {
    "EnablePII": true
  },

📘

Note:

Even after updating the EnablePII setting in the Identity Server's appsettings.Production.json file, some information might still be hidden. To display Orchestrator PII, add the ExternalAuth.ShowPII setting to Orchestrator's UiPath.Orchestrator.dll.config.

With this new setting, the error message reveals more useful information:
The 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'F9B1F6C18B728C02C8853470C71C365F000C86B5', InternalId: 'd3dadcac-e5aa-48e6-a20a-9232a3c3d16f'.' for signing cannot be smaller than '2048' bits. KeySize: '1024'. (Parameter 'key.KeySize')

Faulty .NET Core Hosting Bundle Installation

There may be situations when .NET Core Hosting Bundle is not installed properly. This may have the following effects:

  • .NET Core applications running in IIS (such as identity Server) do not start. Instead, the System.IO.IOException: IDX20807: Unable to retrieve document error is displayed.
  • An error appears when you access Handler Mappings for Identity Server in IIS.
  • The 500.19 Error Code: 0x8007000d error occurs when visiting the https://localhost/identity URL in a browser. Click here for more details.

The obvious solution for this issue is to reinstall the .NET Core Hosting Bundle.

Unable to Access External Providers Page after Upgrading to Orchestrator v2020.4

When you update your Orchestrator to v2020.4, Identity Server migrates your previous settings. If you had previously enabled Windows authentication while having set up automatic login for Windows AD users, then after performing the upgrade, the users can't access the External Providers page if they previously logged into Identity Server. The users are logged in to the tenants directly after entering their Windows credentials.

Without being able to access the Login page, the host admin can't log in to the Host tenant, and they can't access Identity Management Portal.

If this is your case, open a new browser in incognito mode and type https://<OrchestratorURL>/identity/configuration.

/api/account/authenticate Calls Failing For Users Who Changed Passwords at First Login

For newly created users who change their password when they first log in to Orchestrator, any calls performed via PowerShell to the /api/account/authenticate endpoint result in an Invalid credentials, failed to login error message.

Users in this situation should change their password from Orchestrator's Profile page.

Keyset Does Not Exist Error After Installation

After installing UiPath Orchestrator v2020.4, the Keyset does not exist Internal Server Error might occur if the certificate used for Identity Server does not have the appropriate permissions set.

Run the following PowerShell script as Admin to grant permissions for the certificate:

import-module WebAdministration
$siteName = 'UiPath Orchestrator'
$binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl('Access')
$permission="IIS_IUSRS","Full","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.AddAccessRule($accessRule)
Set-Acl -Path $keyFullPath -AclObject $acl

📘

Note:

Modify the $siteName value according to your Orchestrator installation.

Restart the IIS site after performing any configuration changes.

RobotKeyMigration Fails During Update

The Orchestrator service should be stopped prior to any update / upgrade of the Identity Server service. Changes made to robots in Orchestrator during the Identity Server update result in a failed update.

If this occurs, stop the Orchestrator service and re-run the migration.

Deployments using languages that contain non-ascii characters

Multiple issues have been linked to localization issues in languages containing non-ascii characters. For full localization support, please upgrade to the 20.10 Insights release.

Configuring SAML Settings Unavailable in Identity Server UI

The following workaround addresses scenarios where you installed Orchestrator v2020.4 or later and need specific settings for your SAML provider to work.

Whereas the Identity Server UI should meet most of your needs in terms of SAML configuration, this section provides a way to control additional SAML settings that are not exposed by default. For a complete list of available settings, refer to the official Sustainsys.Saml2 documentation.

Sustainsys.Saml2 is the library Identity Server relies on for SAML support, and it uses an XML configuration file. To get access to the fields that are unavailable in the Identity Server UI, you need to override this XML file. The following procedure describes how you can manage that:

  1. Make sure you enabled and properly configured the SAML external identity provider on the External Providers page in Identity Management Portal.
  2. Edit the appsettings.json or appsettings.Production.json file to include the following section at the root level. This tells Identity Server to look for a file called saml2.xml in the same folder as the web application and the appsettings.json or appsettings.Production.json.
"Authentication": {
   "Saml2": {
     "ConfigFile": "saml2.xml"
   }
 },
  1. Create an XML file called saml2.xml and add the SAML configuration.
  2. Map the fields on the External Providers page in Identity Management Portal to the corresponding nodes in saml2.xml.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="sustainsys.saml2" type="Sustainsys.Saml2.Configuration.SustainsysSaml2Section, Sustainsys.Saml2" />
 </configSections>
  <sustainsys.saml2 
      entityId="--1--"
      returnUrl="--5--">
    <identityProviders>
      <add 
          entityId="--2--" 
          signOnUrl="--3--" 
          allowUnsolicitedAuthnResponse="--4--" 
          binding="--6--">
        <signingCertificate 
            storeName="--7--" 
            storeLocation="--8--"
            findValue="--9--" 
            x509FindType="FindByThumbprint"/>
      </add>
    </identityProviders>
    <serviceCertificates>
      <add
          use="Both"
          storeName="--10--" 
          storeLocation="--11--"
          findValue="--12--" 
          x509FindType="FindByThumbprint"/>
    </serviceCertificates>
  </sustainsys.saml2>
</configuration>
  1. Add the settings you need. For example, use publicOrigin in load-balanced scenarios or minIncomingSigningAlgorithm if you want to change the default SHA256 option.
  2. Save the files and restart the Identity Server web application in IIS. If you encounter any errors with the SAML configuration, error events should be visible in your logs. You can use Windows Event Viewer, the default tool for this purpose.

Updating the Bearer Token Expiration

Orchestrator's UiPath.Orchestrator.dll.config file does not offer a way to update the bearer token expiration time.

Changes are possible only by adjusting the AccessTokenLifetime property of the Orchestrator.Ropc client in the Identity Server’s Clients database.

In the following example, the bearer token expiration time is set to 86400 seconds (24 hours).

UPDATE [identity].[Clients]
SET AccessTokenLifetime = 86400
WHERE ClientName = 'Orchestrator.Ropc'

Updated 9 days ago


Identity Server Troubleshooting


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.