Troubleshooting: SAML2 token errors with Microsoft Entra ID / Office 365 Authentication

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

This article provides troubleshooting guidelines for SAML2 token errors that users might experience when your deployment's using Microsoft Entra ID or Office 365 Authentication.

Troubleshooting: The SAML2 token is not valid because its validity period has ended

When using Microsoft Entra authentication, while working in the client, users get an error similar to the following message:

Connection is not longer available or was lost

The event log includes the following error for the Business Central Server instance:

The SAML2 token is not valid because its validity period has ended.

Cause

This error occurs because the security token that's used by Microsoft Entra ID has exceeded its specified lifetime. By default, the lifetime, which is determined by Microsoft Entra ID, is 1 hour.

Resolution

The Business Central Server includes a configuration setting called ExtendedSecurityTokenLifetime that you can set to add additional time to the security token lifetime. If this issue becomes a problem, you can increase the value of the ExtendedSecurityTokenLifetime setting. Before you do, read more about the Microsoft Entra token lifetime policies at Configurable token lifetimes in Microsoft Entra ID.

ID4148: The Saml2SecurityToken is rejected because the SAML2:Assertion's NotOnOrAfter condition is not satisfied

While working in the Windows client, users get an error similar to the following:

ID4148: The Saml2SecurityToken is rejected because the SAML2:Assertion's NotOnOrAfter condition is not satisfied.

Cause

The Windows client times out when it has been connected for 9 hours or more. The timeout is an internal setting and can't be changed.

Resolution

Close and reopen the Windows client.

Authenticating Business Central Users with Microsoft Entra ID
Configuring Business Central Server