Microsoft Project Support Blog

The place to come for Microsoft Project, Microsoft Project Server and Project Online support topics

SharePoint 2013 Workflow: Token contains invalid signature

SharePoint 2013 Workflow: Token contains invalid signature

  • Comments 10
  • Likes

I’ve run into this “Token contains invalid signature” issue with SharePoint and Project Server 2013 workflows a couple of times, and also referred to in the logs as Invalid JWT token – and the error shows “invalid client” too.  The symptom is the workflow starts but then shows as cancelled – and hitting the additional workflow information page for Project Server workflows and the information icon will give the error at the foot of the posting (for search engine consumption…) – and the forums tend to say that just wait a day and it goes away but no one that I could find knew what the overnight change was….  Well today wasn’t a day I wanted to wait – so I had a look around for which daily timer jobs might help things work.  I tried a few service restarts first – but finally found the “Refresh Trusted Security Token Services Metadata feed” timer job – clicked the Run Now button – then tried another workflow and all was good!

Refresh Trusted Security Token Services Metadata feed

I hope this helps someone – and I’d also like validation if this does work for you as I am not 100% sure it was what fixed my issue.  With these things that can just start working again it could have been something else.  Change in the wind perhaps? 

*** Update 1/14/2014 - Thanks to Hans Bellen of UMT for validating that this is the timer job - and he also had some other guidance:

- Make sure you run the WF as a non-system account

- If this is a new farm, run the following timer jobs in SharePoint

1.Workflow Auto Cleanup 
2.Notification Timer Job c02c63c2-12d8-4ec0-b678-f05c7e00570e   
3.Hold Processing and Reporting   
4.Bulk workflow task processing
5.Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]

*** End Update

Here is the full error information:

RequestorId: ab0ccadd-86a9-592e-40cb-22e59fbbf08d. Details: System.ApplicationException: HTTP 401 {"x-ms-diagnostics":["3000006;reason=\"Token contains invalid signature.\";category=\"invalid_client\""],"SPRequestGuid":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"request-id":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["114"],"SPIisLatency":["1"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["Bearer realm=\"5418e74f-0449-4a4c-a1be-ba58377ac362\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@5418e74f-0449-4a4c-a1be-ba58377ac362\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4535"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 13 Jan 2014 22:15:08 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

and the ULS logs will say something like:

01/13/2014 14:15:09.25    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    Application Authentication    ajez0    High    SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

01/13/2014 14:15:09.27    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    Application Authentication    ajezq    High    SPApplicationAuthenticationModule: Error authenticating request, Error details: Header: 3000006;reason="Token contains invalid signature.";category="invalid_client", Body: {"error_description":"Invalid JWT token. Could not resolve issuer token."}    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

01/13/2014 14:15:09.27    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    General    8nca    Medium    Application error when access /PWA/_vti_bin/client.svc, Error=Invalid JWT token. Could not resolve issuer token.   at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

Comments
  • Thank you!!! Found that timer job, ran it, and life is good. BTW, I had previously been working on the WF server, and had had to nuke its certs and re-install the cert for the WFE server (Computer account, trusted root cert authorities). That had been preventing me from registering the WF server. With the correct cert installed, I could register OK, but then this "Token contains invalid signature" error was being returned on the WFE every time I tried to start a 2013 WF. Running the timer job fixed it.

  • It helped a lot. Thanks you so much.

  • Thank you!

  • That was just the ticket! thanks for posting this gem. saved me yet another headache

  • It works thanks :)

  • You made my day ;-) Excellent quick fix which save much time of mine...

  • Excellent...Its really magic. I am also getting this error and i tried to resolved it but could not able to resolve it. Now workflow is running fine.. Thanks

  • Great help. Thank you.

  • Great article...it's works for me.

  • This is amazing tip and saved us from recreating wf farm! Thank you!!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment