Form interconnect authentication fails for mobile expense entry in travel management

Mobile users are unable to submit expense entries through the JDE Mobile Enterprise application for travel management on version 9.2.1. The form interconnect authentication is failing when users try to access the expense entry form (P00191) from their mobile devices. Desktop users can access the same form without any issues.

The authentication failure occurs specifically during the form interconnect handoff from the mobile app to the JDE form. Users get an “auth failed” error and are kicked back to the mobile app home screen. The mobile session appears to be valid since users can access other mobile functions, but the form interconnect security token isn’t being recognized.

We recently applied a security patch (Tools Release 9.2.1.4) which may have changed how form interconnect handles mobile session tokens. The token refresh logic might not be compatible with the new security requirements. Error logs show:

FormInterconnect: Token validation failed
Session: MOBILE_USER_SESSION_12345
Reason: Token signature mismatch

Has anyone experienced form interconnect authentication issues after applying recent security patches? Is there a specific mobile session management configuration that needs to be updated for token compatibility?

I’ve successfully resolved this exact issue across multiple JDE 9.2.1 implementations after the 9.2.1.4 security patch. The problem involves all three focus areas: mobile session management, token refresh logic, and security patch compatibility. Here’s the comprehensive solution:

1. Mobile Session Management: The security patch changed how form interconnect validates mobile sessions. You need to reconfigure session handling:

JDE Server Configuration (jde.ini): Add or modify the [FORMINTERCONNECT] section:

[FORMINTERCONNECT]
TokenSigningAlgorithm=HS256
TokenExpirationMinutes=30
MobileSessionTimeout=120
EnableTokenRefresh=TRUE
ValidateDeviceFingerprint=TRUE

Key changes:

• TokenExpirationMinutes increased from default 15 to 30 for mobile scenarios
• MobileSessionTimeout set to 120 minutes (2 hours) to accommodate offline work
• EnableTokenRefresh=TRUE allows automatic token renewal
• ValidateDeviceFingerprint=TRUE adds device-level security without breaking mobile access

Mobile Server Configuration (P98950MB): Navigate to Mobile Enterprise Configuration:

1. Session Management tab:
   • Enable “Auto Token Refresh”
   • Set “Refresh Interval” to 20 minutes (before 30-minute expiration)
   • Set “Mobile Session Timeout” to 120 minutes
   • Enable “Persist Session Across App Restarts”
2. Security Settings tab:
   • Set “Token Signing Algorithm” to HS256 (must match jde.ini)
   • Configure “Shared Secret Key” (minimum 32 characters, alphanumeric + special chars)
   • Copy this exact key to the JDE server configuration
3. Device Management tab:
   • Add mobile device types to trusted list: iOS, Android
   • Enable “Allow Form Interconnect from Mobile”
   • Set “Device Registration Required” to TRUE for enhanced security

2. Token Refresh Logic: Implement proactive token refresh to prevent authentication failures:

Server-Side Token Refresh Configuration: The form interconnect servlet needs to handle token refresh requests. Verify these settings in the Enterprise Server:

[SECURITY]
FormInterconnectTokenRefresh=ENABLED
RefreshTokenLifetime=240
MaxRefreshesPerSession=10

Mobile App Token Refresh Implementation: While the mobile app should handle this automatically, verify the configuration:

1. In JDE Mobile Enterprise app settings on each device:

   • Navigate to Advanced Settings → Security
   • Enable “Automatic Token Refresh”
   • Set “Refresh Before Expiry” to 5 minutes
   • Enable “Refresh on Form Interconnect”

2. For custom mobile apps integrating with JDE, implement this token refresh pattern:

// Pseudocode for mobile app token refresh
1. Check token expiry timestamp before form interconnect call
2. If expires within 5 minutes:
   - Call mobile server token refresh endpoint
   - Receive new token and expiry time
   - Update stored credentials
3. Proceed with form interconnect using valid token
4. Handle refresh failure: re-authenticate user if refresh fails

3. Security Patch Compatibility: The 9.2.1.4 security patch introduced breaking changes that require configuration updates:

Post-Patch Configuration Requirements:

1. Update Shared Secret Keys: The patch requires stronger encryption keys. Generate a new shared secret:

// Use a secure random string generator
// Minimum 32 characters, include uppercase, lowercase, numbers, special chars
// Example format (generate your own): Kj9$mP2nQ7#xR5wT8@vY3zL6hF4dS1gA0

Update this key in THREE locations:

• jde.ini [FORMINTERCONNECT] section: SharedSecretKey=YOUR_KEY
• Mobile Server Configuration (P98950MB): Security Settings → Shared Secret
• Mobile Enterprise Server (if separate): config.properties → forminterconnect.secret

All three MUST be identical or token validation fails.

2. Enable New Security Headers: The patch requires additional HTTP headers for form interconnect. In the Enterprise Server configuration:

[HTTP_HEADERS]
X-JDE-FormInterconnect-Version=2
X-JDE-Token-Type=Bearer
X-JDE-Device-Validation=ENABLED

3. Certificate Validation: If using HTTPS for mobile connections (recommended), update certificate validation:

• Ensure mobile server SSL certificate is valid and not self-signed
• Add certificate to JDE server’s trusted certificate store
• Configure mobile app to validate server certificates (disable “Accept All Certificates” in production)

4. Compatibility Verification: After applying the security patch, run the Form Interconnect Diagnostic Tool:

Navigate to: System Administration → Security Management → Form Interconnect Diagnostics
Run tests:
- Token Generation Test
- Token Validation Test
- Mobile Session Test
- Signature Verification Test

All tests should pass. If Token Validation or Signature Verification fail, the shared secret key mismatch is the cause.

Implementation Steps:

1. Backup current configuration (jde.ini, mobile server settings)
2. Generate new shared secret key (32+ characters, complex)
3. Update JDE server configuration (jde.ini with new settings)
4. Restart Enterprise Server to apply jde.ini changes
5. Update Mobile Server configuration (P98950MB with matching settings)
6. Restart Mobile Enterprise Server
7. Test with single mobile device before rolling out
8. Update mobile app on user devices if using older version
9. Verify token refresh works by monitoring for 30+ minutes
10. Deploy to all users after successful testing

Testing Protocol:

1. Token Generation Test:

   • Mobile user logs in → verify successful authentication
   • Check server logs for token generation with HS256 algorithm

2. Form Interconnect Test:

   • From mobile app, launch expense entry form (P00191)
   • Verify form opens without authentication error
   • Submit expense entry → verify successful save

3. Token Refresh Test:

   • Keep mobile app open for 25 minutes (past refresh interval)
   • Launch form interconnect again
   • Verify no authentication error (token should have auto-refreshed)
   • Check mobile server logs for token refresh events

4. Offline Scenario Test:

   • Prepare expense entry while offline
   • Go online after 60+ minutes
   • Submit expense entry
   • Verify submission succeeds (session persisted, token refreshed on reconnect)

Troubleshooting Common Issues:

• “Token signature mismatch” error: Shared secret key doesn’t match across all three locations (jde.ini, mobile server, mobile enterprise server)
• “Token expired” error: Token refresh not enabled or refresh interval too long
• “Device not trusted” error: Mobile device type not in trusted device list in P98950MB
• Form opens then immediately closes: Session timeout too short for mobile scenario - increase to 120 minutes

Validation: After implementation:

1. Monitor mobile server logs for 48 hours
2. Verify no authentication failures for form interconnect
3. Check that token refresh events occur at expected intervals
4. Confirm expense entries submit successfully from mobile devices
5. Test with users in different scenarios: online, offline, switching networks

This solution ensures mobile users can reliably access expense entry forms through form interconnect while maintaining the enhanced security requirements of the 9.2.1.4 patch. The key is proper mobile session management with appropriate timeouts, proactive token refresh before expiration, and ensuring all configuration points use matching security settings.

The Tools Release 9.2.1.4 security patch introduced stricter token validation for form interconnect. The mobile app generates a session token when launching, but form interconnect now requires the token to be signed with a specific algorithm that older mobile app versions don’t support. Check your JDE Mobile Enterprise app version - you may need to update to the latest version that supports the new token signing requirements. Also verify that the form interconnect configuration in JDE includes mobile devices in the trusted device list.

The 9.2.1.4 security patch specifically addressed vulnerabilities in form interconnect token handling. It enforces token expiration more strictly and requires token refresh for sessions lasting longer than 15 minutes. For mobile expense entry, which often involves users working offline and submitting later, the 15-minute window is too short. You need to either configure token refresh logic in your mobile app or increase the token expiration threshold in the form interconnect security settings. There’s a balance between security and usability for mobile scenarios.