Skip to content

Error 401 Incorrect login (expired Azure secret)

When attempting to access SmartOSH, some users may see the following error message:

Incorrect login Remote server error: (401) Unauthorized.

This error indicates that SmartOSH was unable to authenticate against Azure Entra ID (formerly Azure Active Directory) on behalf of the client. The most common cause is that the client secret configured in SmartOSH has expired in the client’s Azure tenant.


SmartOSH authenticates against Azure Entra ID using a registered application in the client’s tenant. That application uses a client secret (secret key) to identify itself to Azure.

Client secrets have an expiration date set at the time of creation (30 days, 6 months, 1 year, 2 years, or custom). When the secret reaches that date, Azure stops accepting it and returns the error:

AADSTS7000222: The provided client secret keys for app '<app-id>' are expired.

This error is generated by Azure, not SmartOSH. The expiration happens automatically by expiry date, without any manual action taken in the tenant.


To confirm that the cause is an expired secret, the client’s Azure administrator should follow these steps:

  1. Access Microsoft Azure Portal with an account that has administrator permissions.
  2. Go to Microsoft Entra IDApp registrationsAll applications tab.
  3. Search for the application by its Application (client) ID (SmartOSH can provide this if needed) and open it.
  4. In the application’s side menu, go to Certificates & secrets.
  5. In the Client secrets tab, check the Expires column.

If any secret appears as Expired or has an expiry date in the past, that is the expired secret preventing access.


Resolution requires two actions: the client generates a new secret and SmartOSH updates it in its configuration.

Step 1 — The client generates a new client secret

Section titled “Step 1 — The client generates a new client secret”
  1. Within Certificates & secrets of the registered application, click + New client secret.
  2. Assign a description and choose the desired duration.
  3. Click Add.
  4. Copy the value (Value) immediately after creation. Once the screen is closed, Azure will not show that value again.

Step 2 — The client sends the secret to SmartOSH securely

Section titled “Step 2 — The client sends the secret to SmartOSH securely”

The secret value must be sent via a secure channel. It is recommended to use one-time link tools such as Password Pusher to avoid the value being exposed in emails or chats.

With the new secret received, the SmartOSH team updates it in the tenant’s configuration. This change may take a few minutes to propagate through the system cache before users can access again.


Reference SO-4439