Forum Discussion

CBetrisey_16596's avatar
CBetrisey_16596
Icon for Nimbostratus rankNimbostratus
Aug 06, 2014

Security Context expired

Hi, We just installed an F5 load Balancer in front of 2 Microsoft CRM Dynamics 2011 Web Servers. A CRM Asynchronous server is running on a separate server and accesses CRM through F5. Since we switched this on, some of our custom workflows are failing with the following error: "An unsecured or incorrectly secured fault was received from the other party" "The security context token is expired or is not valid. The message was not processed."

 

I read someplace that this is related WCR and could be caused by time differences between the servers. Our server clocks are synchronized correctly. Anyone has an idea why this could happen? The processes that fail are calling the CRM SDK several times. Is it possible that not all calls are going to the same CRM server? How can we insure that all calls to CRM stick to the same server?

 

Thanks Christian Betrisey

 

APM
microsoft
ms crm
security

4 Replies

Sort By
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 06, 2014

    Hi Christian, I'm unfamilar with the asynchronous service. Did you deploy manually, or using the IIS/HTTP iApp template? We're going to be publishing a template for CRM in a few days, BTW, so keep an eye out for that here: https://devcentral.f5.com/wiki/iapp.Codeshare.ashx

    The first thing I might try is adding an iRule to the CRM virtual server to log all requests and responses, for example:

    when HTTP_REQUEST {
    log local0. "Request:[HTTP::host][HTTP::uri]:[HTTP::header names]"
    foreach cookie [HTTP::cookie names] {
      log local0. "Cookie name: $cookie, Cookie value: [HTTP::cookie value $cookie]"
   }
    foreach aHeader [HTTP::header names] {
      log local0. "$aHeader: [HTTP::header value $aHeader]"
   }
}
when HTTP_RESPONSE {
    log local0. "Response: [HTTP::status]:[HTTP::header names]"
    foreach cookie [HTTP::cookie names] {
      log local0. "Cookie name: $cookie, Cookie value: [HTTP::cookie value $cookie]"
   }
    foreach aHeader [HTTP::header names] {
      log local0. "$aHeader: [HTTP::header value $aHeader]"
   }
}

    The fix may be something as simple as applying source IP persistence to the requests from the server running the asynchronous service, based on the URI identified by the previous iRule (because it may not support cookie persistence, for example). The iRule to do that would be something like:

    when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::uri]] {
            {
            log local0. "Asynchronous service"
            pool your_crm_pool_name
            persist source_addr
            return
        }
    }
}
  • CBetrisey_16596's avatar
    CBetrisey_16596
    Icon for Nimbostratus rankNimbostratus
    Aug 07, 2014

    Mike, Thanks for your tips. I don't know how this was deployed. The person who did it is out this week. I will forward this information to him. The CRM async Server is a CRM service that is executing all asynchronous operations (workflows and some plugins). This service accessess CRM via the SDK (WCF web services). It is typically installed on a dedicated server. I don't believe that we have done anything special on this server.

     

    Christian

     

  • abhijeetp_20249's avatar
    abhijeetp_20249
    Icon for Nimbostratus rankNimbostratus
    May 17, 2015
    Getting the same error with F5 sitting in front of load balanced CRM 2013 web servers. Did you find a solution to this problem?