Getting "BadContextToken" fault with reason as "The security context token is expired or is not valid. The message was not processed"

We have a client to MSD CRM WebServices interface written in Java. Intermittently we get below fault from MSD CRM :-

We receive below SOAP response from MSD CRM server :-

<?xml version="1.0" encoding="UTF-8"?>

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">

    <s:Header>

        <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>

        <a:RelatesTo>uuid:4b9268dc-ec6d-4105-b49a-70d1ef9675ef</a:RelatesTo>

    </s:Header>

    <s:Body>

        <s:Fault>

            <s:Code>

                <s:Value>s:Sender</s:Value>

                <s:Subcode>

                    <s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/sc">a:BadContextToken</s:Value>

                </s:Subcode>

            </s:Code>

            <s:Reason>

                <s:Text xml:lang="en-US">The security context token is expired or is not valid. The message was not processed.</s:Text>

            </s:Reason>

        </s:Fault>

    </s:Body>

</s:Envelope>

- On re authenticating and getting a new Kerberos token, we do not get any such fault from MSD CRM server.

There are below questions that we need your help to debug the issue further :-

-         What is the root cause of the authentication failure issue at MSD CRM .

-         Under what scenarios token gets invalidated/expired at MSD CRM ?

-         If there is any idle timeout for a Kerberos token at MSD CRM/ IIS? Example :- The token is acquired with life time of 10 hours and used 1 hour after being issued.

-         What is the inference from MSD CRM verbose trace showing authentication failure on message security verification? There is a complete call stack printed as well in MSD CRM trace.

-         What are the best practices recommended to avoid such scenarios?

-         Is there a check list to validate the configuration related to authentication and token validation at MSD CRM?

-         Is there a cache maintained at MSD CRM to hold security token information for the clients communicating with MSD CRM? Is there any limit on size/time period of this cache?

-         IS there any suggestions/precautions to be taken at Client code for this issue of token being invalidated at MSD CRM intermittently.

 Please let us know if you need any other information to understand the issue better. Please help as this is a show stopper for us!!