Article ID: 124128, created on Jan 2, 2015, last review on Jan 2, 2016

  • Applies to:
  • Operations Automation 6.0
  • Operations Automation 5.5

Symptoms

Log in to the Windows Azure Pack does not work on January 1st each year.

The following error appears in Customer CP > Azure Pack Services:

[AZURE] {"Code":"InvalidSecurityToken","Message":"The security token cannot be verified.","Details":[]} 

The following error appear in /var/log/WAP/wap/log:

2015-01-01 11:19:55,370 INFO  LoggingFilter [apsc(2)] - 34 * [WAP<-AZURE] Client in-bound response
34 < 403
34 < X-AspNet-Version: 4.0.30319
34 < Date: Thu, 01 Jan 2015 09:19:55 GMT
34 < Content-Length: 95
34 < Expires: -1
34 < Content-Type: application/json; charset=utf-8
34 < X-Powered-By: ASP.NET
34 < Server: Microsoft-IIS/8.5
34 < Pragma: no-cache
34 < Cache-Control: no-cache
34 <
{"Code":"InvalidSecurityToken","Message":"The security token cannot be verified.","Details":[]}

The following error appear in event viewer on the wap admin server:

Error:Unhandled exception: SecurityTokenValidationException: Jwt10306: Lifetime validation failed. The token is not yet valid.
ValidFrom: '12/31/2015 18:54:05'
Current time: '01/01/2015 18:54:05'.
<Exception>
<Type>SecurityTokenValidationException</Type>
<Message>Jwt10306: Lifetime validation failed. The token is not yet valid.
ValidFrom: '12/31/2015 18:54:05'
Current time: '01/01/2015 18:54:05'.</Message>

Cause

Window Azure Pack server has expired security token lifetime.

Resolution

  1. Make sure that MgmtSvc-AdminAPI and MgmtSvc-Usage site certificates are not expired

  2. Switch the date forward to 1 year to match the valid from period on WAP admin, WAP adminapi, WAP adminauth, and all active directory servers in WAP domain and then revert back.

    NOTE: switching the time may cause kerberos tickets to expire, and the procedure would also require rebooting all windows servers in this domain after switching the time back.

  3. Run the following powershell command on the WAPadminAPI server:

    $cnctString = 'Data Source=HV-SQL;User ID=sa;Password=<password>'
    Set-MgmtSvcRelyingPartySettings -Target @('Admin', 'Tenant') -MetadataEndpoint httр://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString –DisableCertificateValidation
    

    replace:

    WAP-APS - with POA managemenet node IP address

    password - with the password set when exporting certificates from IIS, for additional details please refer to the documentation page 13.

  4. If steps above does not help, re-export of IIS certificates could help. Perform as per documentation or contact Microsoft technical support

  5. The issue disappears by itself on January 2nd. Please contact Microsoft technical support to clarify the reasons of such behavior.

Search Words

cannot access azure portal

The security token cannot be verified

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

[AZURE] {"Code":"InvalidSecurityToken", "Message":"The security token cannot be verified.", "Details":[]}

connection issues between OA and azure

blank screen

cannot access WAP admin or tenant portal, "The security token cannot be verified." recurring issue.

5b048d9bddf8048a00aba7e0bdadef37 caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF