Common

Configuration
Needs
Orchestrator Installation and Troubleshooting
Common Configuration Needs
1. Why do we change the Orchestrator/Identity Server URL in some situations? There are
situations in which the Orchestrator URL needs to be changed. For example, when the
infrastructure is upgraded from single node to multi node. Consequently, the Identity
Server URL also needs to be changed.

2. Changing the Orchestrator SSL certificate and the Identity Server token-signing certificate.

The Orchestrator and the Identity Server communicate over HTTPS. They use SSL certificate to
establish the secure connection. Also, Identity Server uses the Private Key of the Certificate to
sign tokens.

For Orchestrator deployments using the 2020.4 version or higher, when the SSL certificate
expires, the change has to apply to applications, Orchestrator and Identity.

a. The certificate needs to meet the following requirements.

o All the servers in the cluster must trust it. (You can add it in "Local Computer"
under "Personal" and "Trusted Root Certification Authorities")
o It must have a private key: In Certificates Store (Local
Computer)\Personal\Certificates -> right click the certificate -> All Tasks -> Check if
"Manage Private Keys" option is displayed. If it is not, then the certificate only has
a public key and is not valid to use for UiPath Infrastructure.
o The "Subject Alternative Name" of the certificate needs to exactly meet the
Orchestrator site URL and in case of multi-node environment with NLB it needs to
contain the NLB URL as well.
o The user that is running under Orchestrator and Identity Server sites must have
access over the private key of the certificate:
▪ If you are using ApplicationPoolIdentity, go to Personal store > All Tasks >
Manage Private Keys, and give read permission to the IIS AppPool\UiPath
Orchestrator user or to the "IIS_IUSRS" group.
▪ If you are using a custom account, go to Personal store > All Tasks >
Manage Private Keys, and give read permissions to the custom user that is
set on the Orchestrator Application Pool.
b. The Orchestrator and the Identity Server must use the same certificate, since the Identity
Server will sign the tokens using the private key and Orchestrator will validate it based on
the public key:
o Orchestrator
▪ Open the Internet Information Services (IIS) Manager (Start > Run >
inetmgr).
▪ Click the site you want to secure with the SSL certificate. (This process is
called binding).
▪ In the Actions panel on the right, click Bindings.

Orchestrator Installation and Troubleshooting 2

 ▪ Double-click the site binding.
▪ SSL certificate -> in the dropdown specify the certificate that you are binding.
▪ Click OK.
o Identity Server
▪ Locate the Appsettings.Production.json of Identity, which by default can be
found at "C:\Program Files (x86)\UiPath\Orchestrator\Identity".
▪ Open the file with any text editor and locate the "Name" section.
▪ Change it with the thumbprint of the new certificate.
▪ Go to IIS -> Orchestrator site -> Manage Website Panel -> Restart the site.

Orchestrator Installation and Troubleshooting 3