As a preface, we are using AzureAD authentication and almost all of our users are using the browser.
After upgrading from 2023.2.25 to 2023.2.26, we immediately started to notice a spike in our active license count. I thought that was strange, so I did some digging into the license timeouts.
In 2023.2.25 when a user is idle on the homepage, a license is returned after the license timeout period (15 minutes for all users). This can be recreated in the Smart Client and browser. This is working as it always has.
In 2023.2.26 when a user is idle on the homepage, a license is always being consumed and never times out - even when they have locked their computer and have left for the day. This can be recreated in the Smart Client and browser.
Tracing the network traffic in the browser shows that version 2023.2.26 is now calling IsTokenValid every 5 minutes and keeps the session active indefinitely as long as the tab or client is open. GetBallonRowsKeepIdleTime doesn’t change the idle time as expected. Strangely, IsTokenValid is not even checking a good token anyway (DUMMY_TOKEN ??) and always throws an exception in the server log.
<Exception act="unknown" machine="abc" pid="6340" tid="994"><![CDATA[System.UnauthorizedAccessException: Bad token
at Ice.Security.Token.JsonWebToken.Parse(String token, Byte[] keyBytes) in C:\_releases\ICE\ICE4.2.400.26\Source\Server\Framework\Epicor.Ice\Security\Token\JsonWebToken.cs:line 194
at Ice.Security.Token.AuthTokenHelper.CheckToken(String token, String userId, DateTime& validTillUtc) in C:\_releases\ICE\ICE4.2.400.26\Source\Server\Framework\Epicor.Ice\Security\Token\AuthTokenHelper.cs:line 58]]></Exception>
System.UnauthorizedAccessException: Bad token
at Ice.Security.Token.JsonWebToken.Parse(String token, Byte[] keyBytes) in C:\_releases\ICE\ICE4.2.400.26\Source\Server\Framework\Epicor.Ice\Security\Token\JsonWebToken.cs:line 194
at Ice.Security.Token.AuthTokenHelper.CheckToken(String token, String userId, DateTime& validTillUtc) in C:\_releases\ICE\ICE4.2.400.26\Source\Server\Framework\Epicor.Ice\Security\Token\AuthTokenHelper.cs:line 58
I don’t know if something in our configuration is wrong or missed a major change in the release notes.
I’ve logged a case with support, but not getting anywhere so I figure I’d mention it here. I’m hoping we don’t all rush and buy more licenses until we can get to the bottom of this🙂
I will definitely be keeping an eye on this one. Many of us on this site have spent countless hours optimizing our timeouts and license counts in order to buy “just enough”… A “bug” like this throws off the entire pricing model of concurrent user licensing… I hope this was an accident and not Epicor trying to pull a fast one on us…
Hey @TomAlexander, can I ask what you are using for authentication? I just tried with Basic Authentication and IsTokenValid is no longer called and the license times out after 15 minutes as expected. The issue may be isolated to those using AzureAD
Hello @mbayley, we upgraded from 2023.2.20 to 2023.2.27 last weekend and are also seeing a spike in license usage this week, we are using Azure AD. Been going back and forth with support but haven’t really made any progress. It seems to reset the session timer every time the TokenService/IsTokenValid process is called, every 5 minutes (unless the user closes their browser, then the session is released 15 minutes later). Have you been able to make any progress on the issue?
All I’ve managed to get from support is that this has been confirmed as a bug. I don’t have a PRB number yet. I can confirm that this issue will only affect those using Azure AD or Epicor Idp authentication
For now I’ve been monitoring the session log and deleting sessions for users who stay signed in all day when I know they shouldn’t.
I also sent an email to all of our users to ask them to close all their Kinetic Browser tabs when they are done with it in an attempt to help me out a bit.
Even with this we usually hit our license limit in the mid morning each day
We went from 2023.2.13 to 2024.1.13 and also see a spike. We ended up having to purchase 35 additional seats to keep the floor operational. Also seeing the same token renewal way more frequently.
Workaround:
If you’re on prem, you can stop the dummy IsTokenValid request from being sent.
Modfiy \Server\Apps\ERP\Home\main.86964f04c6bb2034.js
Replace
Yikes. Epicor has a clause in their contract where if you cancel modules or licenses and then reinstate them down the road, you have to pay maintenance for all the time you missed. When they fix this issue you may have to fight to un-purchase those licenses and ensure you don’t pay a penalty in the future.
We haven’t noticed this but we have almost nobody using the browser so far. This is going to be a huge problem if they force us all to the browser in 2025.1 as planned.
Thanks for making this post Mike and bringing more attention to this issue!
I’m really glad to see we aren’t the only customers dealing with this. I just noticed a spike our license usage within the past few weeks and there weren’t a lot of indicators as to what was causing the issue.
I had the same experience where support didn’t really have much to offer on it at that time. Good to know it’s being classified as a bug and will hopefully be passed to a PRB soon.
I’ve been manually closing sessions as needed throughout the day as a workaround for the time being but it certainly has caused plenty of issues.
Hopefully it’ll get resolved soon because it’s definitely slowed things down as a whole.
