Forum Discussion
Feb 26, 2018
Invalid issuer o signature error in SPO Provider-Hosted AddIns
(Note: we have already verified that this is not a problem with expired client secrets)
Hi all, we are having problems with SPO Provider-Hosted Add-Ins were we are using remote event receivers...all of these Add-Ins were working last week, but have stopped working Today. Could you please help us with identifying what's happening? We are seeing the problem in 4-5 tenants and with 2-3 different applications. I have attached a document with the troubleshooting we have done and also our findings. As you can imagine, it's quite urgent for us to get information and a workaround about how to fix it...we also opened a support case, but support folks told us that they don't provide help for this kind of issues. Thanks in advance! cc VesaJuvonen
- Lewis-HIron ContributorI'm assuming you have already found a way around this issue, but I resolved it by editing the permissions my App needed to the Host Web. Originally I was just leaving it blank, but setting those permissions explicitly in the manifest got it working.
We're seeing the same issue with one of our SPO Provider hosted add-ins too. Our client ID and secrets are managed via the Seller Dashboard though as it is a multi-tenant add-in. Anyone else seeing the same issue via the Microsoft Seller Dashboard?
- Slawomir BrykCopper Contributor
If you are asking whether we've experienced this issue in apps that are being distributed via the AppSource, the answer is yes - that's exactly what was happening.
That being said, using the HostedAppHostNameOverride thing solved the issue for us. Was that not the case for you?
no it wasn't the case for us, as we had both client secrets coming up to expire for a client ID, I created two new client secrets via the Microsoft Partner Center seller dashboard but didn't delete the original secrets as they were still active. So we had 4 active secrets for a client ID, it seems that the SPO Provider Hosted add-ins / Azure ACS doesn't handle having 4 active secrets. Once I deleted the original 2 client secrets leaving just 2 active secrets for that client ID, everything sprung in to life!
- paulpaschaBronze Contributor
Same here. We managed to work around the error by specifying a HostedAppHostNameOverride app setting in our Application Settings. We found out that in TokenHelper's CreateAcsClientContextForUrl the call to OperationContext.Current.IncomingMessageHeaders.To.Host resolved in the wrong Host Name. In our case we expected ourapplication.azurewebsites.net but only ourapplication was returned.
- Slawomir BrykCopper Contributor
Having the same issue.
Indeed, putting the HostedAppHostNameOverride approach seems to be working as a temporary workaround.
- Rajat chauhanCopper Contributor
Hello, I tried putting HostedAppHostNameOverride below Client Id and Client Secret tags in Web. Config file. But it didn't work as expected. List is still unable to trigger remote event receivers. Please advice.
- VesaJuvonen
Microsoft
Can you open up an issue at the following location with the sufficient details, so that we can start working on this within the engineering? We use this issue list for tracking incoming issues around SharePoint development and issues are automatically synced to our VSO for internal tracking.
Thanks for your submission advance - https://github.com/SharePoint/sp-dev-docs/issues.
This GitHub issue list is an alternative or add-on tool for opening up official support ticket through official channels with Premier support or with SPO Online support, which should be always the #1 step for any unexpected issues so that things are getting tracked using official channels.
- Hi Vesa!
I have already submitted the issue: https://github.com/SharePoint/sp-dev-docs/issues/1409. Of course, we tried first to open a support ticket but support team told us that they didn't provide support to any issue related to third party development :-(. That's the reason I have decided to post here the problem and also at other channels- Jan SteenbeekCopper Contributor
We've run into the same issue in the last two months. Over each tenant we provide PH solutions in (8 so far), we see that renewed client secrets do not work with the invalid issuer error. We ran into a wall with support, so we figured we would wait until others started reporting this. Well, here we are :)
As a workaround we use Remove-MSOLServicePrincipal (https://docs.microsoft.com/en-us/powershell/module/msonline/remove-msolserviceprincipal) to remove the registration and recreate it using the same Client ID on AppRegNew.aspx . When using the same client ID the granted permissions carry over. This gives a service interruption of half an hour to a couple of hours, but it's better then nothing.