Error: Invalid nonce binding cookie

This article provides an overview of the "Error: Invalid nonce binding cookie" error message and how to recover and authenticate again.

What’s the issue?

This specific scenario occurs when the authenticator faces a race condition in a web view dialog. Most commonly, we have seen these occur with PaloAlto GlobalConnect VPN and Cisco AnyConnect VPN clients attempting authentication. The race condition causes a scenario where the authentication itself is successful, but the response is processed as an error.

When attempting to authenticate, I am presented with an error "Error: Invalid nonce binding cookie".

What’s the solution?

Retrying the authentication will work after a minute or two. Our engineering team is working on an enhancement to the authenticator that will mitigate the race condition.