Lifetime Validation Expired

When using the browser, we are seeing an error popup for users using the browser or when they log off the smart client. We have our environment using azure authentication and was wondering if that is causing it. Can anyone help with this issue. We do have all workstation connected to a domain controller and time is accurate to domain controller and the Domain controller is accurate to public ntp server.

e.Common.InvalidTokenException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: ‘1/10/2024 10:05:49 PM’, Current time: ‘1/10/2024 10:11:22 PM’.
—> Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: ‘1/10/2024 10:05:49 PM’, Current time: ‘1/10/2024 10:11:22 PM’.
at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable1 notBefore, Nullable1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
— End of stack trace from previous location —
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Ice.Security.OpenIdConnect.TokenValidator.ValidateToken(String token, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\OpenIdConnect\TokenValidator.cs:line 131
at Ice.Security.OpenIdConnect.TokenValidator.ValidateWithKeyRefresh(String token, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ITokenValidationFunctions originValidator) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\OpenIdConnect\TokenValidator.cs:line 119
at Ice.Security.OpenIdConnect.TokenValidator.Validate(String token, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ITokenValidationFunctions validationFunctions) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\OpenIdConnect\TokenValidator.cs:line 96
— End of inner exception stack trace —
at Ice.Security.OpenIdConnect.TokenValidator.Validate(String token, TokenValidationParameters validationParameters, ISecurityTokenValidator tokenValidator, ITokenValidationFunctions validationFunctions) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\OpenIdConnect\TokenValidator.cs:line 96
at Ice.Security.OpenIdConnect.TokenValidator.Validate(String token, String& alternateIdentityFieldToUse) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\OpenIdConnect\TokenValidator.cs:line 57
at Ice.Security.AuthenticationHelper.TokenAuthCheck(String token, Boolean isRpcCall) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\AuthenticationHelper.cs:line 220
at Ice.Security.AuthenticationHelper.GetUserId(String authorizationScheme, String authorizationValue, Boolean isRpcCall, HeaderCollection headers) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Framework\Epicor.Ice\Security\AuthenticationHelper.cs:line 89
at Ice.Hosting.AspNetCore.Middleware.AuthenticationMiddleware.CheckAccess(HeaderCollection headers, Boolean isRpcCall, StringValues authorizationHeader) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\AuthenticationMiddleware.cs:line 127
at Ice.Hosting.AspNetCore.Middleware.AuthenticationMiddleware.InvokeAsync(HttpContext httpContext, CurrentCallInformationService callInformation) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\AuthenticationMiddleware.cs:line 83
at Ice.Hosting.AspNetCore.Middleware.CallHeaderMiddleware.InvokeAsync(HttpContext httpContext) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\CallHeaderMiddleware.cs:line 52
at Ice.Hosting.AspNetCore.Middleware.OperationDisposerMiddleware.InvokeAsync(HttpContext httpContext) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\OperationDisposerMiddleware.cs:line 34
at Epicor.RESTApi.Middleware.ApiKeyEnforcerMiddleware.Invoke(HttpContext context) in C:_releases\ICE\ICE4.2.400.7\Source\Server\Hosting\AspNetCore\Ice.Hosting.AspNetCore\Middleware\ApiKeyEnforcerMiddleware.cs:line 79
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
CorrelationId: ba539170-234b-4c26-8043-0342c9fcbc7a

Is it the current time shown accurate?

Does this happen if you login and then logout immediately (better in Incognito mode in browser)?

the current time shown is in UTC but it matches with time zone offset. But that could be the issue. My App server log in event viewer is what is showing this error.

Hi, I got the exact same token error randomly. We are using Azure AD SSO as well. We check NTP on the app server and it’s good. The expiration is the token from AzureAD. On the events logs on the epicor app server, we can see lots of these error, but without the browser popup. I think, what happen here is sometime Epicor failed to renew the Azure token before expiration?

We still have the issue, but if the user click cancel on the popup and refreh(F5), it reload the page sucessfully.

For example, if computer goes to sleep than tokens can not be refreshed and after its wake up you most probably will see this error in the log.

We have this issue, also Azure SSO. It can be a somewhat short window and can effect the “handoff” of the authentication to the client with the new method of launching classic UI from the web interface which makes for a really frustrating interaction because that you can’t just refresh.

Did you have any luck figuring anything out besides refreshing when you hit the error?

No we have not.

We continue to encounter this issue without any resolution from EpicCare. Anyone discover root cause?

The PRB has been around for a hot minute… but I’ve been tracking it for awhile.
It states it’s for this issue and is now in “Testing” But it’s been in and out of testing many times. I’m not overly hopeful.

PRB0255752
https://epiccare.epicor.com/u_task_communication.do?sys_id=82d39c7cdb20e518d426576ed3961918

This still occurs for us, but does seem to occur less oftern. Or at least users are complaining less.