"Management authorization refused: token denied by server"

Description

As a security measure a token is generated during the initiation of any transfer in Faspex or Shares. The token that is generated has an expiration time. If the transfer never fails it won't matter whether this token is expired before the transfer completes. However, if the transfer does fail Aspera Connect by default will "retry" the transfer. When the retry is started the token is used again and needs to still be valid (non-expired). If the token has already expired the user will get the error "Management authorization refused: token denied by server" (code 34)

To minimize the failures due to expired tokens the admin of the server could increase the token_life parameter in the aspera.conf.

The default is a token life of 86400 seconds (24 hours). There is not a great security risk in having a token with a long life as this token is specific to the file/file path, the direction (upload or download) and the user account so it is not easily exploited.

There are several ways you can increase the token life. You can use the transfer server GUI or the command line tool asconfigurator, both of which edit aspera.conf for you. You can also edit aspera.conf directly, though this is less recommended as it is easier to make mistakes.

Environment

  • Product: Enterprise Server, Connect Server
  • Operating System: Linux, Windows

Instructions

Via GUI

To increase the token life the admin can edit the Configuration using the Aspera Enterprise Server GUI.

1. Launch the GUI and select the Configuration icon in the upper right.

2. Select the Users tab and the Faspex or Shares user. Click the Authorization tab. Check the box in the Override column next to Token Life (seconds) and enter a value. Click Apply, then OK

Alternatively you can just configure the token life on the Global tab so all tokens have this duration, and the Faspex or Shares user will then inherit it.

Via command line

Another way to configure the token life is using asconfigurator. Run the following:

Linux
asconfigurator -x 'set_user_data;user_name,faspex_or_shares_user;token_life_seconds,100000'

Windows
asconfigurator.exe" -x "set_user_data;user_name,faspex_or_shares_user;token_life_seconds,100000"

Via aspera.conf

You can add the token life directly to your aspera.conf file, which is located at the following:

  • Windows: C:\Program Files (x86)\Aspera\<product name>\etc\aspera.conf (replace <product name> with your installed product)
  • Linux: /opt/aspera/etc/aspera.conf

The token life should be configured as below. The <authorization> section should be nested within the <default> section if you want the token life setting to be applied globally, or it should be nested within the <user> section to apply it to only a particular user:

<authorization>
<life_seconds>100000</life_seconds>
</authorization>

This section may already have a value in <encryption_key> in which case the <life_seconds> setting can immediately proceed it.

When editing the aspera.conf by hand be sure to first make a backup copy and then validate it immediately after editing as follows:

Linux
# /opt/aspera/bin/asuserdata -v
# /opt/aspera/bin/asuserdata -u faspex_or_shares_user

Windows
> "C:\Program Files (x86)\Aspera\Enterprise Server\bin\asuserdata.exe" -v
> "C:\Program Files (x86)\Aspera\Enterprise Server\bin\asuserdata.exe" -u faspex_or_shares_user

The first should give you confirmation that the file passes validation. If it does not validate, correct immediately or revert to your backup. No transfers can be initiated if this file is invalid. The -u option will let you validate the exact options for the Faspex  or Shares user and you can check the new value for the token life in the list returned.

Conclusion

Please note however that equally important to configuring the token life for better transfer "retries" is to figure out the root cause of why the transfers fail in the first place. Any server should be able to achieve a very high success percentage for transfers overall and rather than just improving retries it would be best to understand any root cause issues for a better overall transfer experience. The Aspera support team is available to assist customers in auditing their server performance and analyzing transfer logs. Please open a support ticket and ask for assistance in evaluating your transfer performance. Be prepared to provide server/client logs files to Aspera:

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk