diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
index cafa5135e6..8378a47ced 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
@@ -81,7 +81,12 @@ class AbstractDelegationTokenSecretManager<TokenIdent
       = DelegationTokenSecretManagerMetrics.create();
 
   private String formatTokenId(TokenIdent id) {
-    return "(" + id + ")";
+    try {
+      return "(" + id + ")";
+    } catch (Exception e) {
+      LOG.warn("Exception in formatTokenId", e);
+    }
+    return "( SequenceNumber=" + id.getSequenceNumber() + " )";
   }
 
   /** 
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
index 077b10320f..d905609a1c 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java
@@ -20,6 +20,7 @@
 
 
 
+import static org.apache.hadoop.security.authentication.util.KerberosName.setRules;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -29,6 +30,10 @@
 import java.io.IOException;
 import java.net.URI;
 import java.security.PrivilegedExceptionAction;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -54,6 +59,7 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.security.token.Token;
+import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
 import org.apache.hadoop.test.GenericTestUtils;
 import org.slf4j.event.Level;
 import org.junit.After;
@@ -376,4 +382,30 @@ public void testDelegationTokenIdentifierToString() throws Exception {
         " for SomeUser with renewer JobTracker",
         dtId.toStringStable());
   }
+
+  @Test
+  public void testLogExpireTokensWhenChangeRules() throws IOException {
+    setRules("RULE:[2:$1@$0](SomeUser.*)s/.*/SomeUser/");
+    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(
+        new Text("SomeUser/HOST@EXAMPLE.COM"),
+        new Text("SomeUser/HOST@EXAMPLE.COM"),
+        new Text("SomeUser/HOST@EXAMPLE.COM"));
+    Set<DelegationTokenIdentifier> expiredTokens = new HashSet();
+    expiredTokens.add(dtId);
+    setRules("RULE:[2:$1@$0](OtherUser.*)s/.*/OtherUser/");
+    //rules was modified, causing the existing tokens
+    //(May be loaded from other storage systems like zookeeper) to fail to match the kerberos rules,
+    //return an exception that cannot be handled
+    new AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>(10 * 1000, 10 * 1000,
+        10 * 1000, 10 * 1000) {
+      @Override
+      public DelegationTokenIdentifier createIdentifier() {
+        return null;
+      }
+      public void logExpireTokens(Collection<DelegationTokenIdentifier> expiredTokens)
+          throws IOException {
+        super.logExpireTokens(expiredTokens);
+      }
+    }.logExpireTokens(expiredTokens);
+  }
 }