I’ve run into this “Token contains invalid signature” issue with SharePoint and Project Server 2013 workflows a couple of times, and also referred to in the logs as Invalid JWT token – and the error shows “invalid client” too. The symptom is the workflow starts but then shows as cancelled – and hitting the additional workflow information page for Project Server workflows and the information icon will give the error at the foot of the posting (for search engine consumption…) – and the forums tend to say that just wait a day and it goes away but no one that I could find knew what the overnight change was…. Well today wasn’t a day I wanted to wait – so I had a look around for which daily timer jobs might help things work. I tried a few service restarts first – but finally found the “Refresh Trusted Security Token Services Metadata feed” timer job – clicked the Run Now button – then tried another workflow and all was good!
I hope this helps someone – and I’d also like validation if this does work for you as I am not 100% sure it was what fixed my issue. With these things that can just start working again it could have been something else. Change in the wind perhaps?
*** Update 1/14/2014 - Thanks to Hans Bellen of UMT for validating that this is the timer job - and he also had some other guidance:
- Make sure you run the WF as a non-system account
- If this is a new farm, run the following timer jobs in SharePoint
1.Workflow Auto Cleanup
2.Notification Timer Job c02c63c2-12d8-4ec0-b678-f05c7e00570e
3.Hold Processing and Reporting
4.Bulk workflow task processing
5.Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]
*** End Update
Here is the full error information:
RequestorId: ab0ccadd-86a9-592e-40cb-22e59fbbf08d. Details: System.ApplicationException: HTTP 401 {"x-ms-diagnostics":["3000006;reason=\"Token contains invalid signature.\";category=\"invalid_client\""],"SPRequestGuid":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"request-id":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["114"],"SPIisLatency":["1"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["Bearer realm=\"5418e74f-0449-4a4c-a1be-ba58377ac362\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@5418e74f-0449-4a4c-a1be-ba58377ac362\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4535"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 13 Jan 2014 22:15:08 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
and the ULS logs will say something like:
01/13/2014 14:15:09.25 w3wp.exe (0x2FB8) 0x1E88 SharePoint Foundation Application Authentication ajez0 High SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token. at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext) 529744b4-b81b-4728-b2f7-ddaebb0e6e1e
01/13/2014 14:15:09.27 w3wp.exe (0x2FB8) 0x1E88 SharePoint Foundation Application Authentication ajezq High SPApplicationAuthenticationModule: Error authenticating request, Error details: Header: 3000006;reason="Token contains invalid signature.";category="invalid_client", Body: {"error_description":"Invalid JWT token. Could not resolve issuer token."} 529744b4-b81b-4728-b2f7-ddaebb0e6e1e
01/13/2014 14:15:09.27 w3wp.exe (0x2FB8) 0x1E88 SharePoint Foundation General 8nca Medium Application error when access /PWA/_vti_bin/client.svc, Error=Invalid JWT token. Could not resolve issuer token. at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext) 529744b4-b81b-4728-b2f7-ddaebb0e6e1e
