Why am I being logged out?
Introduction
Following TrendMiner’s Security by Design / Security by default philosophy, security improvements are regularly rolled out. As a result, stricter server configuration has become required, with examples including mandatory SSL setup and configuration of NTP server(s). Note that these configurations come out of the box when choosing for TrendMiner as a SaaS solution.
One particular requirement is around maintaining the user’s login state. While the user is active, his/her session gets extended (this happens behind the scenes with the use of industry-standard refresh tokens), and the user can continue to work.
To avoid people accessing your browser, and therefore your data, while you may be away from your computer, TrendMiner will try to detect inactivity and securely log you out. Note that the exact definition of when a user becomes “inactive” is up for discussion. E.g. after a given amount of time, certain browsers will put background tabs in sleep mode, even though you are still active in other tabs.
In certain cases, this stricter security framework can lead to intermittent log-outs happening for end users. TrendMiner will keep a user's session open for 24 hours. If users happen to get logged out regularly after periods of activity/inactivity less than 24 hours, especially if this happens after very short periods (e.g. 5 to 30 minutes), this indicates there is a configuration issue that needs to be addressed. Note that other factors, such as the validity of your SSO session (e.g. when integrated with Azure AD) can force a user to re-authenticate as well.
In 95% of observed cases, this phenomenon is caused by a time mismatch between the client (i.e. the user’s computer) and the TrendMiner server time. The mismatch between client and TrendMiner server time can be maximum 10 seconds before logout issues can start occurring. Computer time is an important element in security, used from SSL certificate expiration dates to the lifecycle management of an access token, identifying the validity of your current session.
When you observe undesired logout behaviour, follow the troubleshooting steps outlined in the sections below to identify the potential root cause.
Step 1 - Ensure SSL is enabled and the certificate is valid
SSL configuration is mandatory. No or incorrect configuration of SSL can lead to users being logged out immediately. This behaviour can be browser-specific (e.g. users are logged out when using browser X but not when using browser Y).
Step 2 – Ensure TrendMiner has an NTP server configured
The TrendMiner server time is managed through the configuration of an NTP server to synchronize the clock. The NTP configuration is done in Edge Manager. See more information here.
If there is no NTP server configured, this should be the first thing to do. Without the configuration of an NTP server, it is possible the TrendMiner server time deviates from the user’s local machine, potentially causing the logout issues.
Step 3 – Get the local machine time
If logout issues still occur, the next step includes taking a closer look at the time on the affected user’s local machine. You can do a simple check by looking at the clock on a Windows machine – click on the time in your taskbar to open more details.
Double-check that the time on the local machine is in line with the NTP server it is configured to mirror. This could be a global NTP server (e.g. Microsoft and Google offer public NTP servers) or a Domain Controller.
In some cases, firewall issues or other synchronization problems could cause the local machine to go out of sync with the company’s configured NTP. If this is the case, resolve this problem before continuing to troubleshoot.
Tip
Some public sites can also give an indication about the correctness of your computer time. E.g. time.is. Note that this indication is only relevant if the TrendMiner server time is synced correctly with a reliable NTP server.
If you are unsure how to check this, please reach out to your local IT.
Step 4 – Get the TrendMiner server time
If the local machine’s time has been confirmed, the next step is to get the TrendMiner server time, as there could still be a mismatch for different reasons:
TrendMiner cannot reach the configured NTP server (e.g. firewall issue if you’re pointing to a public NTP)
TrendMiner is configured to use a different NTP than the user’s local machine, causing a mismatch between the two
If you are running an appliance or running TrendMiner as SaaS, please reach out to TrendMiner support to check the server time in a remote call, together with the affected user.
If you are running your own Linux server or in your private cloud, log in to the server’s console and copy the output of the following command:
timedatectl status
Ideally, capture the output together with an overlay of the affected user’s Windows time, as it’s the time mismatch that is typically most important.
If for some reason, the output of timedatectl says “NTP Synchronized: No” while the NTP server is configured (see Step 1), please open a support ticket with TrendMiner support.