Getting "BadContextToken" fault with reason as "The security context token is expired or is not valid. The message was not processed" RRS feed

  • Question

  • We have a client to MSD CRM WebServices interface written in Java. Intermittently we get below fault from MSD CRM :-

    We receive below SOAP response from MSD CRM server :-


    <?xml version="1.0" encoding="UTF-8"?>

    <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">


            <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>








                        <s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/sc">a:BadContextToken</s:Value>




                    <s:Text xml:lang="en-US">The security context token is expired or is not valid. The message was not processed.</s:Text>





    - On re authenticating and getting a new Kerberos token, we do not get any such fault from MSD CRM server.

    There are below questions that we need your help to debug the issue further :-

    -          What is the root cause of the authentication failure issue at MSD CRM .

    -          Under what scenarios token gets invalidated/expired at MSD CRM ?

    -          If there is any idle timeout for a Kerberos token at MSD CRM/ IIS? Example :- The token is acquired with life time of 10 hours and used 1 hour after being issued.

    -          What is the inference from MSD CRM verbose trace showing authentication failure on message security verification? There is a complete call stack printed as well in MSD CRM trace.

    -          What are the best practices recommended to avoid such scenarios?

    -          Is there a check list to validate the configuration related to authentication and token validation at MSD CRM?

    -          Is there a cache maintained at MSD CRM to hold security token information for the clients communicating with MSD CRM? Is there any limit on size/time period of this cache?

    -          IS there any suggestions/precautions to be taken at Client code for this issue of token being invalidated at MSD CRM intermittently.


     Please let us know if you need any other information to understand the issue better. Please help as this is a show stopper for us!!

    Thursday, November 21, 2013 12:58 PM

All replies

  • Is CRM configured to use AD authentication, or IFD, or is it Crm Online ? If it's IFD there are some configurable parameters for token lifetime which can be set via Powershell

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, November 21, 2013 3:59 PM
  • did you ever resolve this issue?
    Thursday, January 9, 2014 11:23 PM
  • Hi,

    For long running operation/connection, it is a best practice to refresh the security token. Below is excerpt from the linked page:

    In addition, monitor your WCF security token (Token) and refresh it before it expires so that you do not lose the token and have to start over with authentication. To check the token, create a custom class that inherits from the OrganizationServiceProxy or DiscoveryServiceProxy class and that implements the business logic to check the token. Or wrap the proxy classes in a new class. Another technique is to explicitly check the token before each call to the web service. Example code that demonstrates these techniques can be found in the ManagedTokenDiscoveryServiceProxy,ManagedTokenOrganizationServiceProxy, and AutoRefreshSecurityToken classes in the Helper Code: ServerConnection Class topic.

    Like you I ran into a similar issue with a multi-threaded data import program that could run for hours. After I adapted the said techniques using those classes the problem went away. I am not sure if this would benefit you since you are using Java but it is worth looking into.


    • Edited by Ronald Liu Friday, January 10, 2014 2:53 AM
    Friday, January 10, 2014 2:52 AM
  • Yeah, we've implemented the above recommendation, but still have the same issue. thx
    Friday, January 10, 2014 10:44 PM