UiPath Orchestrator

The UiPath Orchestrator Guide

Identity Server Troubleshooting

Viewing Additional Information in Logs

There may be situations when Identity Server throws error messages containing sensitive information. For example, if the certificate used to sign the access tokens generated by the Identity Server is a public key on 1024 bits, instead of 2048 bits, you'll receive the following error message when trying to login to a freshly installed or upgraded Orchestrator tenant:
InternalServerError - IDX10630 The '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'

To enable the logging of sensitive information such as certificate public keys or hidden PII (personally identifiable information), update the following setting in the Identity Server's appsettings.Production.json file, within your existing AppSettings section:

"AppSettings": {
    "EnablePII": true

With this new setting, the error message reveals more useful information:
The 'Microsoft.IdentityModel.Tokens.X509SecurityKey, KeyId: 'F9B1F6C18B728C02C8853470C71C365F000C86B5', InternalId: 'd3dadcac-e5aa-48e6-a20a-9232a3c3d16f'.' for signing cannot be smaller than '2048' bits. KeySize: '1024'. (Parameter 'key.KeySize')

Faulty .NET Core Hosting Bundle Installation

There may be situations when .NET Core Hosting Bundle is not installed properly. This may have the following effects:

  • .NET Core applications running in IIS (such as identity Server) do not start. Instead, the System.IO.IOException: IDX20807: Unable to retrieve document error is displayed.
  • An error appears when you access Handler Mappings for Identity Server in IIS.
  • The 500.19 Error Code: 0x8007000d error occurs when visiting the https://localhost/identity URL in a browser. Click here for more details.

The obvious solution for this issue is to reinstall the .NET Core Hosting Bundle.

Unable to Access External Providers Page after Upgrading to Orchestrator v2020.4

When you update your Orchestrator to v2020.4, Identity Server migrates your previous settings. If you had previously enabled Windows authentication while having set up automatic login for Windows AD users, then after performing the upgrade, the users can't access the External Providers page if they previously logged into Identity Server. The users are logged in to the tenants directly after entering their Windows credentials.

Without being able to access the Login page, the host admin can't log in to the Host tenant, and they can't access Identity Management Portal.

If this is your case, open a new browser in incognito mode and type https://<OrchestratorURL>/identity/configuration.

/api/account/authenticate Calls Failing For Users Who Changed Passwords at First Login

For newly created users who change their password when they first log in to Orchestrator, any calls performed via PowerShell to the /api/account/authenticate endpoint result in an Invalid credentials, failed to login error message.

Users in this situation should change their password from Orchestrator's Profile page.

Keyset Does Not Exist Error After Installation

After installing UiPath Orchestrator v2020.4, the Keyset does not exist Internal Server Error might occur if the certificate used for Identity Server does not have the appropriate permissions set.

Run the following PowerShell script as Admin to grant permissions for the certificate:

import-module WebAdministration
$siteName = 'UiPath Orchestrator'
$binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl('Access')
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
Set-Acl -Path $keyFullPath -AclObject $acl


Modify the $siteName value according to your Orchestrator installation.

Restart the IIS site after performing any configuration changes.

Updated about 16 hours ago

Identity Server Troubleshooting

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.