Resolving "LOGIN_MUST_USE_SECURITY_TOKEN" Error

Rachel Soderberg - Jun 28 '19 - - Dev Community

This week I ran into a new Salesforce issue I haven't come across before - I finished development on a project I've been building at work for many weeks now and was excited to see it run on the test server. What could possibly go wrong?! Well... Several things actually. Most were minor hiccups like making sure I had the Salesforce API and connection info set to the correct versions in my web.config file, but one nasty hangup had my manager and me stumped for a full couple of days!

I finally narrowed the logging and error messages down until I was able to drop into the exact section of problem code; this allowed me to produce the following SoapException in the section of code where I use the Salesforce binding to log into our org if the application is not already logged in:


Exception: System.Web.Services.Protocols.SoapException: LOGIN_MUST_USE_SECURITY_TOKEN: Invalid username, password, security token; or user locked out. Are you at a new location? When accessing Salesforce--either via a desktop client or the API--from outside of your company’s trusted networks, you must add a security token to your password to log in. To get your new security token, log in to Salesforce. From your personal settings, enter Reset My Security Token in the Quick Find box, then select Reset My Security Token.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at BoxxSalesforceListener.Salesforce.SforceService.login(String username, String password)
at BoxxSalesforceListener.RMAUpdateService.CheckIfLoggedInToSalesforceAndLogInIfNot()

Once we saw this error code the problem became so obvious. We don't use the security token to log in (though that is one option if you want to provide access to an application that is considered "untrusted" by your org). A security token is simply an extra credential you can have your application enter when it logs in to Salesforce.

Instead of adding code to provide the security token, we opted to modify our list of trusted networks in our Salesforce org. This process is also very simple:

  1. Log in to your problem Salesforce org (may be Production or Sandbox)
  2. Click Setup, then search "Network Access" or find it under Administer > Security Controls
  3. Get the IP address of your server*
  4. Enter the server's IP address as a new Trusted IP Range, providing either a start and end point or just using the single address for both fields

And just like that, the problem should be resolved! Your server is now considered a trusted connection with your Salesforce org and should be allowed to connect using just the Username and Password credentials. You'll have to make this change for each new server that accesses your Salesforce org, if you add more, so it's good to keep this in mind and not waste two days of work (like I did... yeesh).

*If you aren't familiar with getting your IP address, there's at least two ways to get it: From the server open a cmd window and enter "ping servername" without quotes, and using your server's name instead of servername. The second option is to navigate to https://whatismyipaddress.com/ from a web browser on the server.


Do you have any Salesforce topics you'd like me to look into and write about? I'm always looking for new things to delve into and learn, and Salesforce has been a lot of fun for me!

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .