Browser Blank Screen

Our users always get this screen when using the web version of Epicor for more than 15 minutes.

image1358×801 28.3 KB

I checked the server event log and noticed an invalid session id error.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="IceAppServer" /> 
  <EventID Qualifiers="0">0</EventID> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2024-02-27T17:12:36.948727100Z" /> 
  <EventRecordID>4066149</EventRecordID> 
  <Channel>Epicor App Server</Channel> 
  <Computer>[OurEpicorAppServer].[OurActiveDirectoryDomain]</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Ice.Common.InvalidSessionException: Session with SessionID = 0ee4abd6-1a3d-45fd-a0ba-f2c6d0a2960a is invalid. Session has either timed out or has been deleted. You must login again to continue. at Ice.Hosting.SessionCache.Get[T](Guid sessionId) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Framework\Epicor.Ice\Hosting\SessionCache.cs:line 37 at Erp.Extensibility.SessionProvider.ErpSessionBuilder.GetSession(Guid sessionId, UserFileItem user) in C:\_releases\ERP\ERP11.2.400.0\Source\Server\Internal\Extensibility\SessionProvider\ErpSessionBuilder.cs:line 22 at Epicor.Hosting.CallContext.GetSession(UserFileItem user, ISessionBuilder sessionBuilder, Guid sessionId) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Framework\Epicor.Ice\Hosting\CallContext.cs:line 239 at Epicor.Hosting.CallContext.Create(Operation op, UserFileItem user, ISessionBuilder sessionBuilder) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Framework\Epicor.Ice\Hosting\CallContext.cs:line 122 at Ice.Security.AuthenticationHelper.CreateSession(HeaderCollection headers, String clientAddress, String action, UserFileItem user) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Framework\Epicor.Ice\Security\AuthenticationHelper.cs:line 51 at Ice.Hosting.AspNetCore.Middleware.AuthenticationMiddleware.CreateSession(HttpContext context, CurrentCallInformationService callInformation, HeaderCollection headers, UserFileItem user) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\AuthenticationMiddleware.cs:line 149 at Ice.Hosting.AspNetCore.Middleware.AuthenticationMiddleware.InvokeAsync(HttpContext httpContext, CurrentCallInformationService callInformation) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\AuthenticationMiddleware.cs:line 83 at Ice.Hosting.AspNetCore.Middleware.CallHeaderMiddleware.InvokeAsync(HttpContext httpContext) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\CallHeaderMiddleware.cs:line 52 at Ice.Hosting.AspNetCore.Middleware.OperationDisposerMiddleware.InvokeAsync(HttpContext httpContext) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\OperationDisposerMiddleware.cs:line 34 at Epicor.RESTApi.Middleware.ApiKeyEnforcerMiddleware.Invoke(HttpContext context) in C:\_releases\ICE\ICE4.2.400.11\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\ApiKeyEnforcerMiddleware.cs:line 79 at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task) CorrelationId: 41629c00-5c35-4044-8e8f-05084e04d5ad</Data> 
  </EventData>
  </Event>

I cleared my session and it kicks me back to the login screen where I can login and work for another 15 min. Since telling our employees to clear their cookies every 15 min is not a real solution, I opened an epicare case back in august of last year. We found the issue is persistent across, all computers, all browsers, and all operating systems.

We use the on prem version of Kinetic and use active directory for our users to authenticate. We tried a few things to resolve the issue but to no avail:

• We are up to date on kinetic updates (11.2.400.11)
• We increased the Session Idle Timeout (minutes) to 4320 for the App Server on the Epic Admin Console.
• We increased the Idle Time-out (minutes) to 1740 for the Application Pool using Internet Information Services (IIS) Manager
• We changed the Idle Time-out Action from Terminate to Suspend for the Application Pool using IIS Manager.

Here are the current Application Server settings in Epicor Admin Console.

image322×706 52.9 KB

Here are the current IIS advanced settings for the application pool.

image783×865 105 KB

We really want to recommend the browser version to our users as it offers a superior experience, but it’s not an option because of this issue. If anyone has any suggestions, it would be very much appreciated.

Anything noteworthy in the client side console/error window?

Tried multiple different browsers I assume?

Tried with all add-ons (like ad blockers) disabled?

If its exactly 15 minutes those aren’t likely to be the issue… and I reread and see you have tried some of those things. Hmm

Are you able to test an account that authenticates directly to epicor?

What is the lifetime set on your tokens? (Admin Console)

I bet its set to 900

Its not exactly 15 minutes it may be even longer. Its possible it might even be up to one hour .

Which makes sense given that my Token Lifetime is set to 3600.

Should I be setting my token lifetime to be longer than my session timeout?

That’s a question for you and your security team. I was just curious if your token was expiring and that’s why the Browser Blank page was occurring.

And yes yours is set to one hour it seems.

What authentication mechanism are you using?
Epicor Identity?
Basic Login / Password?
Azure?
Other?

We use Basic Login.

I updated my token to expire after 480 Minutes. I also updated the session to expire after the same time on the admin console and on IIS. I’ll see if it fixes it. After trying it for a few hours.

Is your Epicor by chance hosted in a different Time Zone as your users?

Login to Epicor on the web and head over to ABCCode (Make sure this is a fresh login action)
Open the Developer Console and go over to the Network Tab

There open a Record (it doesn’t have to be in ABC Code) just make sure that the Network Tab of the Development Console is open

You’ll see a bunch fo calls like this click on the one that is clearly an Epicor BO call like Get BY ID

image756×889 47 KB

In that call on the Right Side of the panel you’ll see the Outgoing Request Heders there should be one called Authorization looks like this

image1316×126 8.34 KB

Copy that Token Value over to jwt.io and you’lll see the information within

image1087×602 30.5 KB

What is the EXP time? and how far away is it from your local time?

{
“exp”: “1709092379”,
“iat”: “1709063579”,
“iss”: “epicor”,
“aud”: “epicor”,
“username”: “johny”
}

image836×268 3.28 KB

My local time is 12:57 PM

image845×313 4.3 KB

Seems fairly close.

Yeah so it is saying your token expires at
2/27/2024, 10:52:59 PM *EST

Which is … 8 hours after issuance. That all looks good. Interesting though that it thought it was issued at
2/27/2024, 2:52:59 PM EST

I’m guessing you are 2 hours behind EST whatever time zone that is… if your server is in that same time zone then everything should be fine.

now you had your token TTL (Prior) set to 1 hour… which means that if your Browser Client was in a 1+ or 1- timezone it may have been the issue… (though I would assume that validation of the token should all be server side… yet… we know what happens when we assume)

I guess its a waiting game at this point. Thanks for all the help! I’ll report back tomorrow to see if updating my token expiration and session timeouts resolved the issue.

Do you have your Entra ID Platform set to Single-Page Application or Mobile and Desktop? I noticed that since 2021, it now expects SPA.

I’m not sure where do I check that?

See around Page 188 of the Kinetic Install Guide for K2022.2.

In Entra, it’s App Registration | Authentication.

That documentation refers to an azure active directory. We use our own active directory server not portal.azure.com. I’m not sure where to find that setting on our server. I’m assuming we would use Active Directory Admin Center but I’m not seeing any options their for Redirect URI.

Oh, never mind. If you’re using AD then this isn’t your problem. AD doesn’t have App Registrations. It only knows about domains/computers/users.

If you’re still running into this problem shoot me a case # and we will direct engage with support to come see what is going on from the browser ux team.

I don’t know of an issue related to session expiration timing like this offhand but we should figure it out if it’s active. We have been getting various intermittently occurring “blank screen” reports and are in the process of resolving all of them, but there are different causes for a screen not to load. This one seems like a unique variant we don’t have on our radar in pd yet…

I’ve had a case open for a while now.
CS0003817264 - Blank Screen on Web version of Epicor.

I have yet to find a solution. I messed with the session and token timeouts to no avail. I just barely found out that my session state on the server is set to use cookies and time out in 20 minutes.

image1824×2060 115 KB

I just changed it to the following settings and will report back with my findings: