nerdexam
CompTIA

CV0-003 · Question #806

A systems administrator strictly followed a CSP's documentation to federate identity for the company's users; however, even when using the correct credentials, the users receive an error message indic

The correct answer is A. The date on the company's identity server is configured incorrectly.. Token expiration errors in federated identity are almost always caused by clock skew between the identity provider and the service provider, not by credential or network issues.

Troubleshooting

Question

A systems administrator strictly followed a CSP's documentation to federate identity for the company's users; however, even when using the correct credentials, the users receive an error message indicating their tokens are expired. Which of the following is MOST likely the cause of the error?

Options

  • AThe date on the company's identity server is configured incorrectly.
  • BThe CSP's documentation is incorrect.
  • CThere is a connection issue between the company and the CSP's networks.
  • DMFA was enforced on the CSP.

How the community answered

(59 responses)
  • A
    83% (49)
  • B
    5% (3)
  • C
    3% (2)
  • D
    8% (5)

Why each option

Token expiration errors in federated identity are almost always caused by clock skew between the identity provider and the service provider, not by credential or network issues.

AThe date on the company's identity server is configured incorrectly.Correct

Federated identity protocols like SAML and OIDC embed timestamps (NotBefore and NotOnOrAfter) in tokens that are validated against the receiving system's clock. If the company's identity server clock is set incorrectly, the CSP will evaluate the token's validity window against its own synchronized clock and reject it as expired. Even a few minutes of drift can cause consistent token rejection despite valid credentials.

BThe CSP's documentation is incorrect.

Incorrect documentation would more likely cause a configuration or authentication failure, not a token expiration error with otherwise correct credentials.

CThere is a connection issue between the company and the CSP's networks.

A network connectivity issue would produce a connection timeout or unreachable error, not a token expiration message.

DMFA was enforced on the CSP.

Enforced MFA would trigger an additional authentication challenge or step-up prompt, not a token expiration error.

Concept tested: Federated identity clock skew and token validation

Source: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-overview

Topics

#identity federation#token expiration#NTP synchronization#SSO

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice