I’ve run into this “Token contains invalid signature” issue with SharePoint and Project Server 2013 workflows a couple of times, and also referred to in the logs as Invalid JWT token – and the error shows “invalid client” too. The symptom is the workflow starts but then shows as cancelled – and hitting the additional workflow information page for Project Server workflows and the information icon will give the error at the foot of the posting (for search engine consumption…) – and the forums tend to say that just wait a day and it goes away but no one that I could find knew what the overnight change was…. Well today wasn’t a day I wanted to wait – so I had a look around for which daily timer jobs might help things work. I tried a few service restarts first – but finally found the “Refresh Trusted Security Token Services Metadata feed” timer job – clicked the Run Now button – then tried another workflow and all was good!
I hope this helps someone – and I’d also like validation if this does work for you as I am not 100% sure it was what fixed my issue. With these things that can just start working again it could have been something else. Change in the wind perhaps?
Here is the full error information:
RequestorId: ab0ccadd-86a9-592e-40cb-22e59fbbf08d. Details: System.ApplicationException: HTTP 401 {"x-ms-diagnostics":["3000006;reason=\"Token contains invalid signature.\";category=\"invalid_client\""],"SPRequestGuid":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"request-id":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["114"],"SPIisLatency":["1"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["Bearer realm=\"5418e74f-0449-4a4c-a1be-ba58377ac362\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@5418e74f-0449-4a4c-a1be-ba58377ac362\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4535"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 13 Jan 2014 22:15:08 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
and the ULS logs will say something like:
01/13/2014 14:15:09.25 w3wp.exe (0x2FB8) 0x1E88 SharePoint Foundation Application Authentication ajez0 High SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token. at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext) 529744b4-b81b-4728-b2f7-ddaebb0e6e1e
01/13/2014 14:15:09.27 w3wp.exe (0x2FB8) 0x1E88 SharePoint Foundation Application Authentication ajezq High SPApplicationAuthenticationModule: Error authenticating request, Error details: Header: 3000006;reason="Token contains invalid signature.";category="invalid_client", Body: {"error_description":"Invalid JWT token. Could not resolve issuer token."} 529744b4-b81b-4728-b2f7-ddaebb0e6e1e
01/13/2014 14:15:09.27 w3wp.exe (0x2FB8) 0x1E88 SharePoint Foundation General 8nca Medium Application error when access /PWA/_vti_bin/client.svc, Error=Invalid JWT token. Could not resolve issuer token. at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload) at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext) 529744b4-b81b-4728-b2f7-ddaebb0e6e1e