This happens with our IFS10UPD4 installation only when we restart the middleware whilst people are still logged in. When the users try to use IFS again, they get that message and have to restart IFS.
Sorry it isn’t a more useful contribution.
Hi @reimccabe,
I am not sure if the following information may be valuable on your issue but felt it may help someone with the same error Reauthentication failed. The application will shut down
with SSO/ADFS.
Following is the ‘re-authentication’ behavior in EE client.
When the user logs in and work in IFS Enterprise Explorer client the client session is refreshed based on the session timeout (Default 10 minutes). When the current session times out, the “Access Token” given by the ADFS server is used to refresh the client session. The Access Token has a lifetime of about 1 hour by default. Once the Access Token expires, the “Refresh Token” given by the ADFS server is used to obtain a new Access Token. This Refresh Token has a lifetime of maximum 7 days according to ADFS documentation.
Once the Refresh Token expires it will not be possible to get any new Access Tokens. Therefore, re-authentication will fail, and the user will be prompted for credentials.
You can also refer the following link extracted from the ADFS documentation:
https://docs.microsoft.com/sv-se/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings;
“If the device is not registered but a user selects the “keep me signed in” option, the expiration time of the refresh token will equal the persistent SSO cookies lifetime for "keep me signed in" which is 1 day by default with maximum of 7 day. Otherwise, refresh token lifetime equals session SSO cookie lifetime which is 8 hours by default”
There have been reports of this issue and recommendations was to change following ADFS properties as below.
KmsiEnabled=true
SSOLifeTime=1440
So the possible solution is to delay the "timeout" of the refresh token, by increasing the SSO timeout in the ADFS settings and prevent the end user to be logged out, due to technical limitations in the client. But you can tune these parameters according to the usage of your environment by referring the logged information regarding the usage.
Hope this information may help.
Best Regards,
Yasas
Thank you, Yasas! Our DBA was looking for where to set this because it’s not in the expected location. I’ll send him these notes and hopefully we can avoid this in future.
Oh wait-we’re not SSO. We have the standard login.