16:36:56:853 EST,Client IP Address = 255.255.255.255,Client Port = 1058,Result Code = 0,Result Action = User Token Failed,Result Reason = Token error

Mar 30, 2004 8:52:39 AM EST - [8240] - <Critical> - Unable to create token. Authorization server returned: 15

Dec 22, 2005 11:42:53 AM CST - [2336] - <Debug> - exception_type=TokenException, msg=(Token decryption failed)

Typically these error messages appear as expected behavior, and can be ignored.

More information on cookie decryption errors

All ClearTrust cookies are encrypted with an encryption key that is changed on a periodic basis. The frequency of key creation is determined by the cleartrust.keyserver.session_key_life setting in the keyserver.conf file. By default, this value is 30 minutes. The keyserver holds 14 old keys in a first-in first-out buffer. Once created, the key is held in that buffer for a period determined by the cleartrust.keyserver.token_lifetime which is one hour by default.

If a new key is created every 30 minutes, and held in this buffer for one hour, this means that old keys are retained, on average, for 1 1/2 hours.  Testing  and internal logic shows that it is actually greater and is actually two hours (see note #2).

With these numbers the buffer usually has three to four keys in it after it has been up for few hours and maintains that number while the site is up. The newly created key is used for both encryption and decryption while the older keys are used just for decryption.

ClearTrust-encrypted cookies are presented to the client web browsers and are stored in the browser for as long as the browser session is active by default (they can be persisted). These cookies are updated if the user access a web page; but if the user's browser is inactive, the cookies maintained by the web browser are not updated.

Users who are inactive are normally required to re-authenticate based on the value of the cleartrust.agent.idle_timeout (default is 15 minutes). If a user presents with a cookie, it is decrypted, and the last touch time is read. If the cookie is older than 15 minutes, the user is asked to re-authenticate. 

Once the key expires after two hours, it is dropped from the buffer. Any token/cookie encrypted by that key cannot be decrypted and generates one of the token errors below, depending on the version used: That is usually the case for sessions that are left open and idle for greater than two hours.  For example. this is common if a user leaves their session open at the end of the day and then tries to resume working the following morning.  At that point, the user will be forced to reauthenticate. In this case, instead of logging a user idle event, the aserver will log the cookie decryption event error.

The quantity of cookie decryption errors in the log files is not a one-to-one correspondence with the number of users being asked to authenticate. Cookies are presented to the web server for each element of a web page and each cookie will cause an error message in the log file. The cookies will be presented to the server during the display of the logon page itself. This means when a user presents with an old browser session, they may see a dozen or so messages logged for each event. In newer versions of the product features were added to reduce the redundant error messages.