Unable to get images in HTML export

I'm requesting a report in HTML format:

http://idsbisandbox/biprws/raylight/v1/documents/1451028/reports/3/pages/1

Accept: text/html

etc.

Included in the returned HTML is a IMG link to an image:

<img border="0" style="position:absolute;top:0px;left:0px;width:581px;height:489px;" alt="Tree Map"
src="http://idsbisandbox/biprws/raylight/v1/documents/1451028/reports/3/pages/1/images/TMP*23*6?X-SAP-LogonToken=[[ my logon token ]]">

This IMG is then submitted (immediately) when the page is rendered:

GET http://idsbisandbox/biprws/raylight/v1/documents/1451028/reports/3/pages/1/images/TMP*23*7?X-SAP-LogonToken=[[ my logon token ]]

But this produces a 401 error with the following stack trace:

<error>    <error_code>FWB 00003</error_code>    <message>Not a valid logon token. (FWB 00003)</message>    <stack_trace>com.sap.bip.rs.exceptions.InvalidEntSessionException: Not a valid logon token. (FWB 00003)&#13;  at com.sap.bip.rs.exceptions.InvalidEntSessionException.LogonFailed(InvalidEntSessionException.java:42)&#13;  at com.sap.bip.rs.session.SessionFactory.getSession2(SessionFactory.java:110)&#13;  at com.sap.bip.rs.session.SessionFactory.getSession2(SessionFactory.java:90)&#13;  at com.sap.bip.rs.session.SessionInternal$1.compute(SessionInternal.java:43)&#13;  at com.sap.bip.rs.session.SessionInternal$1.compute(SessionInternal.java:38)&#13;  at com.sap.bip.rs.nmemo.NMemo$1.call(NMemo.java:67)&#13;  at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)&#13;  at java.util.concurrent.FutureTask.run(FutureTask.java:138)&#13;  at com.sap.bip.rs.nmemo.impl.NMemoWrap.run(NMemoWrap.java:44)&#13;  at com.sap.bip.rs.nmemo.NMemo.memorizePreCalculated(NMemo.java:107)&#13;  at com.sap.bip.rs.nmemo.NMemo.memorize(NMemo.java:49)&#13;  at com.sap.bip.rs.session.SessionInternal.initThreadSession(SessionInternal.java:109)&#13;  at com.sap.bip.rs.server.servlet.BIPServletController.invoke(BIPServletController.java:84)&#13;  at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:148)&#13;  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:179)&#13;  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:108)&#13;  at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)&#13;  at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:159)&#13;  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)&#13;  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)&#13;  at com.businessobjects.sdk.actionfilter.WorkflowFilter.doFilter(WorkflowFilter.java:45)&#13;  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)&#13;  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)&#13;  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)&#13;  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)&#13;  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)&#13;  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)&#13;  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)&#13;  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)&#13;  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)&#13;  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)&#13;  at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)&#13;  at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)&#13;  at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)&#13;  at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)&#13;  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)&#13;  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)&#13;  at java.lang.Thread.run(Thread.java:763)&#13;
Caused by: com.crystaldecisions.sdk.exception.SDKServerException: Not a valid logon token. (FWB 00003)&#13;
cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2&#13;
detail:Not a valid logon token. (FWB 00003)
The server supplied the following details: OCA_Abuse exception 10503 at [.\exceptionmapper.cpp : 67]  42010 {}  ...Not a valid logon token. (FWB 00003) The serialized token is not valid and cannot be deserialized&#13;  at com.crystaldecisions.sdk.exception.SDKServerException.map(SDKServerException.java:99)&#13;  at com.crystaldecisions.sdk.exception.SDKException.map(SDKException.java:124)&#13;  at com.crystaldecisions.sdk.occa.security.internal.LogonService.logonWithTokenHelper(LogonService.java:498)&#13;  at com.crystaldecisions.sdk.occa.security.internal.LogonService.logonWithToken(LogonService.java:340)&#13;  at com.crystaldecisions.sdk.occa.security.internal.LogonService.logonWithToken(LogonService.java:151)&#13;  at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.logonWithToken2(SecurityMgr.java:223)&#13;  at com.crystaldecisions.sdk.framework.internal.SessionMgr2.logonWithToken(SessionMgr2.java:92)&#13;  at com.crystaldecisions.sdk.framework.internal.SessionMgr2.logonWithToken(SessionMgr2.java:86)&#13;  at com.sap.bip.rs.session.SessionFactory.getSession2(SessionFactory.java:100)&#13;  ... 36 more&#13;
Caused by: com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2&#13;  at com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuseHelper.read(oca_abuseHelper.java:106)&#13;  at com.crystaldecisions.enterprise.ocaframework.idl.OCA.OCAs._LogonEx6Stub.SessionLogonWithToken(_LogonEx6Stub.java:218)&#13;  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)&#13;  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)&#13;  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)&#13;  at java.lang.reflect.Method.invoke(Method.java:597)&#13;  at com.crystaldecisions.enterprise.ocaframework.ManagedService.invoke(ManagedService.java:356)&#13;  at com.crystaldecisions.sdk.occa.security.internal._LogonEx6Proxy.SessionLogonWithToken(_LogonEx6Proxy.java:244)&#13;  at com.crystaldecisions.sdk.occa.security.internal.LogonService.logonWithTokenHelper(LogonService.java:400)&#13;  ... 42 more&#13;</stack_trace></error>