Server Error in '/sit-auth' Application - Token is invalid when authenticating user into Solution Studio
Summary
The "Server Error in '/sit-auth' Application - Token is invalid" message is shown when attempting to access Solution Studio with a Windows AD User. This is an UMC-related authentication issue encountered during a migration from an older version of OPCENTER EXECUTION FOUNDATION (UMC 2.9 SP3) to version 2407 or later (UMC 2.13). ETW trace reports: "Unable to retrieve a valid identity from UMC token". Event Viewer reports an UMC error in SL_AuthenticateWindowsLoggedUser method.
Details
Prerequisites:
- User is a Domain User
- Migration has been performed from an older version of OPCENTER EXECUTION FOUNDATION to a version >= OPCENTER EXECUTION FOUNDATION 2407
Steps to verify the issue:
- Log in to Solution Studio with a Windows AD User
- Verify that the error message received by the UI is: "Server Error in '/sit-auth' Application - Token is invalid"
Error Details:
- ETW: UmcAuthenticationHandler.InvokeAsync - Unable to retrieve a valid identity from Umc token
- Event Viewer: Siemens.SimaticIT.Platform.Common.QoS.UmcException: UMC: error in SL_AuthenticateWindowsLoggedUser method
Behavior:
After the product migration, the "UMC User Details - Account Policy" UI is not updated to the latest version of UMC (refer to the image below) where the three autologoff mode options should be present.
This is due to the cache retaining the old interface with non-selectable options and auto logoff value that cannot be changed via UI.
Specifically, the auto logoff time in UMC is automatically set to 0 and the field is not editable for domain users from "Details - Account Policy" section.
Note that this issue persists regardless of the SessionAge value in the umcsso_config.JSON file located in C:\ProgramData\Siemens\UserManagement\CONF, which is greater than 0.
Solution:
- Run the following command:
umx -x <umcadminuser> <umcadminpassword> -U -u <username_to_update> -s -al 30
where -al sets the auto-logoff time in minutes.
Command example: umx -x admin adminpassword -U -u domain\username -s -al 30
This command sets the auto logoff value to 30 minutes, which will be visible in the UI accordingly.
- Clear the cache of the browser and refresh the page
After that, it should be possible to see the new UMC user with:
- The three autologoff mode options available
- The default auto logoff value set to 30, if Default option is used
By product these are the three options available for the autologoff mode for OPCENTER EXECUTION FOUNDATION version >= 2407:
Default: The system uses the default session timeout. E.g.: The DSSO will be infinity, the WEBSSO will be identified by IdP configuration.
Disabled: SSOs are never timed out.
User Defined: The session timeouts will expire according to value in the "Auto logoff time" field.
Note that if the user expiration date is defined then sessions can never be infinite.
After applying the suggested solution, the Domain User will be able to remain logged into Solution Studio without receiving messages about token expired.