Table of Contents

Client Secret Expired Error in FORNAV Direct Print

When the client secret used by the FORNAV Direct Print service expires, authentication may fail and the service may display an error similar to the following:

Error. Error while checking tenant.
A configuration issue is preventing authentication - check the error message from the server for details. 
You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.

Original exception: AADSTS7000222: The provided client secret keys for app 'b35123eb-24d1-4c76-8f7b-56698ccef842' are expired. 
Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, 
or consider using certificate credentials for added security: https://aka.ms/certCreds.

Why This Error Occurs

The Direct Print service uses a client secret to authenticate with FORNAV and Azure Active Directory. This secret:

  • Works like an API key or password
  • Expires automatically after a period of time
  • Must be refreshed to maintain authentication

If the service cannot retrieve a new secret before the old one expires, Azure AD rejects the authentication attempt, resulting in the AADSTS7000222 error.

How Client Secret Renewal Works

Each time the FORNAV Direct Print service starts, it:

  1. Connects to https://www.fornav.com
  2. Checks whether a new client secret is available
  3. Downloads the updated secret if one exists
  4. Saves (caches) the secret locally

A valid cached secret is also included during installation.

Why the Secret Might Expire

The most common cause is:

The FORNAV Direct Print service cannot reach https://www.fornav.com over HTTPS

If the service cannot communicate with the FORNAV servers, it cannot update the client secret. When the cached secret expires, authentication fails and the service displays the AADSTS7000222 error.

How to Fix the Issue

1. Allow HTTPS Access to FORNAV

Ensure that the machine running FORNAV Direct Print has outbound HTTPS access to:

https://www.fornav.com

Then restart the Direct Print service to trigger the secret refresh.

2. If the Cached Secret Has Already Expired

If the secret has already expired, it cannot be refreshed automatically.

To resolve the issue:

Install the latest FORNAV Direct Print version, which includes a fresh cached client secret.

After installing, make sure the service has network access to https://www.fornav.com to prevent future expiration issues.

Preventing Future Problems

To avoid this error going forward:

  • Keep uninterrupted HTTPS access to https://www.fornav.com
  • Ensure firewall rules allow the FORNAV Direct Print service outbound access
  • Restart the service occasionally during planned maintenance windows so it can refresh secrets

For more information on firewall configuration, see: Security and firewall information