Why is a sign in request from My Apps always expired?

Michael Sullivan 36 Reputation points
2023-01-27T16:04:03.2+00:00

We have an enterprise application that we set up in our Azure Active Directory for single sign on. When we click on the icon on https://myapplications.microsoft.com we get an error saying that the request has expired, every time. This happens to everyone, regardless of how long they've been signed in to Office. I've found some pages that list all the AADSTS codes but this one doesn't appear. Any ideas?

sso

Request Id: ffb1bf76-e8c0-48e5-9a14-c73f23993801

Correlation Id: db884c88-45c5-4302-9c71-2ff94d6bfd1b

Timestamp: 2023-01-27T14:53:32Z

Message: AADSTS76026: The request has expired. Try to submit new request.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,717 questions
{count} vote

2 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,631 Reputation points
    2023-01-27T16:52:19.5+00:00

    Hi,

    It seems issue in the config of the application, did you check any conditional access policy applied to the devices that could be interfering with the auth request?

    Also check the system time and clock settings on the devices, If all is in order I will suggest you to involve the developer of the App and Microsoft to investigate this issue.

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


  2. Marilee Turscak-MSFT 32,551 Reputation points Microsoft Employee
    2023-01-30T21:56:28.3033333+00:00

    Hi Michael Sullivan ,

    I'm not sure if you had a chance to review my previous comment, but I had a discussion with the product team and learned that the error AADSTS76026 is mapped to the exception code RequestIssueTimeExpired, which suggests the IssueTime in a request is expired.

    In your case, the failure happened at PerformSignatureValidation: the SAML IssueInstant was more than 10 minutes. You received the following error:

    1:Expired grant blob key use detected.66:Signature verification failed: too old request, valid to 01/27/2023 14:11:32
    

    It's possible that you have signature verification enforced or need to verify that the public certificate of the settings that you have register for the IdP is the right value. If this error still does not make sense, I would recommend a Fiddler trace covering the full flow to better understand how the signature time in their auth request gets so old. Sometimes this is caused by clock skew issues.

    Let me know if this helps and feel free to share any fiddler traces you are able to collect. I'm also happy to discuss this over email if you prefer.

    -

    If the information helped you, please Accept the answer. This will help us as well as others in the community who might also be researching this error.

    0 comments No comments