We've added a faster strategy for fetching Active Directory group membership.
Improvements
Setup
Improved error logging and reporting during execution of the Publish-IdentityServer.ps1 and MigrateTo-IdentityServer.ps1 scripts.
We’ve added a script to ensure Certificate requirements are met.
When entering the SSL certificate during installation, a search by Thumbprint is performed first, then by Subject Name, helping avoid errors due to multiple certificates with the same name.
AD
We've added a faster strategy for fetching Active Directory group membership. Enable it by adding the following key in web.config: <add key="WindowsAuth.GroupMembershipFetchStrategy" value="TokenGroups" />. More details in the web.configdocumentation.
Note: This strategy works best for large AD environments made of nested groups, with users residing in a single domain. It does not work across multiple domains. A user belonging to a specific domain does not inherit access-rights from parent groups in other domains, despite a two-way trust relationship between them.
We increased the character limit for the Domain\Username field (Add Users and Edit Users pages) to 256.
Troubleshooting
To improve your troubleshooting experience you can now allow for Orchestrator PII display by adding the following key in web.config: <add key="ExternalAuth.ShowPII" value="true" />. The key is not displayed by default in web.config, and the default behavior does not allow for PII display. More details in the web.config documentation.
Known Issues
If the SQL Server database name or password of the user being used to install Orchestrator contains a semi-colon (;), installation fails with no useful error displayed.
When enforcing the Reset at first login option for the Host password during installation, this initial password change is not properly propagated and results in a failed validation and installation for a subsequent Insights deployment. Change your password via the Orchestrator UI prior to installing Insights to avoid this issue.
Bug Fixes
Setup
- Fixed an issue where, if the WindowsAuth.AutoLogin.Enabled key was enabled before upgrading, users could not log in to the host tenant following the upgrade.
- After upgrading, some users could not log in to Orchestrator, receiving Error 214 messages.
- We improved the installer experience to provide feedback during the SSL certificate validation and added a section in the log file for all certificate related errors, helping avoid unintentional errors during the duration of that operation.
- The SSL certificate used is now validated to ensure it is trusted. Existing deployments using non-trusted certificates cannot upgrade without now providing a trusted certificate.
- The Virtual Path was not set during execution of the Publish-IdentityServer.ps1 script, resulting in silent failure.
- Fixed an issue where package migration, both during installation or executed manually, failed to import activities.
- Default admin user of newly created tenants could not log in if, in Identity Server, Windows AD is turned on, and force log-in is enabled.
- During an upgrade, data migration from Orchestrator to Identity Server fails during Robot Key migration if more than 5000 records are present.
- The Identity Server database migrator fails when attempting a total rollback of the installation.
- Installation would fail if the Certificate Revocation List (CRL) could not be checked for the Identity Server certificate. The operation can now continue so long as the certificate is not detected as Revoked.
- The installer did not validate the ASP.NET Core Web Hosting Bundle was properly installed.
- Installation failed if using a certificate from a certificate authority that does not have revocation list enabled.
- When performing an installation rollback, the tables (i.e. Identity Server, Insights, Test Automation) created in the Orchestrator database were not deleted, causing an error on subsequent upgrade attempts.
- The installer did not perform a check to ensure the same Identity Server certificate is present on all nodes.
- In multi-node deployments, the SSL and Signing certificates were not properly validated between all nodes.
- The configuration file used for secondary node deployment did not contain the certificate thumbprint configured on the primary node.
Others
- The expiration date of a new host license was not propagated to the associated tenants. The tenants kept the expiration date of the previous license and you needed to reallocate the licenses to your tenants as a workaround.
- We fixed an issue that caused multiple errors such as "Can not find 'Queues.View' in localization source 'UiPath'!" to be logged in typical Orchestrator usage conditions.
- You could not use Orchestrator resources in the grace period after license expiry for tenants licensed through the host license.
