Symptoms

Log in to the Windows Azure Pack does not work on January 1st each year.

The following error appears in Customer CP > Azure Pack Services:

[AZURE] {"Code":"InvalidSecurityToken","Message":"The security token cannot be verified.","Details":[]} 

The following error appear in /var/log/WAP/wap/log:

2015-01-01 11:19:55,370 INFO  LoggingFilter [apsc(2)] - 34 * [WAP<-AZURE] Client in-bound response
34 < 403
34 < X-AspNet-Version: 4.0.30319
34 < Date: Thu, 01 Jan 2015 09:19:55 GMT
34 < Content-Length: 95
34 < Expires: -1
34 < Content-Type: application/json; charset=utf-8
34 < X-Powered-By: ASP.NET
34 < Server: Microsoft-IIS/8.5
34 < Pragma: no-cache
34 < Cache-Control: no-cache
34 <
{"Code":"InvalidSecurityToken","Message":"The security token cannot be verified.","Details":[]}

The following error appear in event viewer on the wap admin server:

Error:Unhandled exception: SecurityTokenValidationException: Jwt10306: Lifetime validation failed. The token is not yet valid.
ValidFrom: '12/31/2015 18:54:05'
Current time: '01/01/2015 18:54:05'.
<Exception>
<Type>SecurityTokenValidationException</Type>
<Message>Jwt10306: Lifetime validation failed. The token is not yet valid.
ValidFrom: '12/31/2015 18:54:05'
Current time: '01/01/2015 18:54:05'.</Message>

Cause

Window Azure Pack server has expired security token lifetime.

Resolution

  1. Make sure that MgmtSvc-AdminAPI and MgmtSvc-Usage site certificates are not expired

  2. Switch the date forward to 1 year to match the valid from period on WAP admin, WAP adminapi, WAP adminauth, and all active directory servers in WAP domain and then revert back.

    NOTE: switching the time may cause kerberos tickets to expire, and the procedure would also require rebooting all windows servers in this domain after switching the time back.

  3. Run the following powershell command on the WAPadminAPI server:

    $cnctString = 'Data Source=HV-SQL;User ID=sa;Password=<password>'
    Set-MgmtSvcRelyingPartySettings -Target @('Admin', 'Tenant') -MetadataEndpoint httр://WAP-APS:4486/wap/metadata.xml -ConnectionString $cnctString –DisableCertificateValidation
    

    replace:

    WAP-APS - with POA managemenet node IP address

    password - with the password set when exporting certificates from IIS, for additional details please refer to the documentation page 13.

  4. If steps above does not help, re-export of IIS certificates could help. Perform as per documentation or contact Microsoft technical support

  5. The issue disappears by itself on January 2nd. Please contact Microsoft technical support to clarify the reasons of such behavior.

Internal content