locked
Authentication fails for some users after token supposedly expired (x-post from CBA platform/geneva forum) RRS feed

  • Question

  • Hi,

    we've implemented MS CRM with Claims Based Auth. and users are connecting using the Outlook Client for CRM.

    Some of them are prompted to re-login occasionally, this is what log files/event log say:

    The Federation Service encountered an error while processing the WS-Trust request.
      Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
      
      Additional Data
      Exception details:
      Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ID4063: LogonUser failed for the 'first.last' user. Ensure that the user has a valid Windows account. ---> System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password 

    From CRM server trace:

    <TraceRecord xmlns=http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord Severity="Error"><Description>Handled
    exception.</Description><AppDomain>/LM/W3SVC/2/ROOT-1-130148428582318582</AppDomain><Exception><ExceptionType>Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException,Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral,PublicKeyToken=31bf3856ad364e35</ExceptionType><Message>ID4255: The SecurityToken is rejected because the validation time is out of range.

    ValidTo: '05-06-2013 10:45:11'

    ValidFrom: '05-06-2013 00:45:11'

    Current time: '05-06-2013 11:04:02'</Message>


    So the token times out after 10 hours. My problem now: I have no idea where those 10 hours do come from. Token timeout has been configured to 12 hours (http://www.zero2ten.com/blog/increasing-adfs-token-timeout-time-for-microsoft-dynamics-crm-2011/) and up to 48 hours while analyzing this issue. The "10 hour problem" remains, server and services have been rebooted.

    User accounts are ok, no bad passwords and so on. After rebooting/logging off the client users are able to use CRM normally.

    Any idea where those 10 hour timeout could be configured?

    thanks!

    Monday, July 8, 2013 12:54 PM