This post is a contribution from Pavan Kumar, an engineer with the SharePoint Developer Support team
Recently worked with a customer who had deployed a Provider hosted App to their Sharepoint O365 tenant and the remote web was an IIS website which was OnPremise. The App worked fine for a while and it started to fail after sometime with following error
Invalid issuer or signature.
at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.VerifySignature(String signingInput, String signature, String algorithm, SecurityToken signingToken)
at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)
at ECompliance.ApplicationForms.TokenHelper.ReadAndValidateContextToken(String contextTokenString, String appHostName)
at ECompliance.ApplicationForms.TokenHelper.GetClientContextWithContextToken(String targetUrl, String contextTokenString, String appHostUrl)
at ECompliance.ApplicationForms.Masters.AppInitiator.Page_Load(Object sender, EventArgs e)
By executing below command we identified that the Client Secret had expired
Get-MsolServicePrincipalCredential -AppPrincipalID "<ClientID> as outlined in this article .
We created a new Client Secret and used that in the web.config file of the Remote Web, but the issue persisted.
We used below command to remove all the client secrets which were already available including the expired one.
Remove-MsolServicePrinicipal -AppPrincipalId "<ClientID>" -KeyIds "<GUID>"
Refer to this article to get more information about this command.
We created a new client secret and added it to the web.config file. Refer to this article on how to create and update to use new client secret.
After creation and updating to new client secret we will have to wait for 8 hours for this to work.
Reason for this 8 hour wait is Sharepoint Online servers are in PST time zone and Azure is in UTC time zone. Time difference between PST and UTC is 8 hours.
We tested the App after 8 hours and issue resolved.
Hope this post helps if you happen to hit this issue at some point in time !!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.