Hey, I'm an app guy, I like doing dev, but honestly - I may go hoarse screaming at my computer if I have to track down one more "The issuer of the token is not a trusted issuer" problem with my new SharePoint apps. To try and help you save your own voice (and sanity) I'm going to start a list here of things that I look for when I get this issue. As I discover new and exciting ways of both invoking this error and resolving it, I will just update the post here and throw an "UPDATED!" doo hickey below.
It's important to remember when I say "high trust app", that means that you are NOT using ACS as the trust broker for your SharePoint app; instead your are creating the OAuth token and signing it with your own certificate. I know we have this whole process documented out there somewhere so I'm not going to try and describe that here again. I'm going to assume you read it, you've been trying it, and now you are ready to give the one-finger salute to your monitor. So, that being said, here are some of the ways I've seen this error occur:
Now, there's also a related issue worth noting: suppose you "think" you've gotten past this error, but then you get an Access Denied error when trying to retrieve content from a SharePoint site in your self-hosted application? Well what that can mean is:
Now a nearly equally good question is how do I track down stuff like this when it happens? Well if it were easy I wouldn't be hoarse and saluting my monitor with one finger. But here's the best data sources I've found so far to use when this problem happens. Again, as I find new things I will add to the list:
$spurl ="https://foo"$spsite = Get-SPSite $spurl$realm = Get-SPAuthenticationRealm -ServiceContext $spsite$realm
That will output to the screen whatever your realm is. Finally, there's one other thing you can do to verify - make sure that you have an appPrincipal created for the ClientId you are using. Again here's some PowerShell you can use to check that, using my WWW-Authenticate header info from above:
Get-SPAppPrincipal -NameIdentifier e9134021-0180-4b05-9e7e-0a9e5a524965@8a96481b-6c65-4e78-b2ef-a446adb79b59 -Site https://foo
If you get an error or no results then you know you don't have a valid SPAppPrincipal so you need to create one using PowerShell. For completeness, here's an example of that:
$clientId = "some guid you create"$spurl ="https://foo"$spsite = Get-SPSite $spurl$realm = Get-SPAuthenticationRealm -ServiceContext $spsite$fullAppIdentifier = $clientId + '@' + $realm$appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $spsite.OpenWeb() -DisplayName "My Cool App"
Okay, and with that, my list of high trust app troubleshooting tips is exhausted for today, as am I. When or if I have more news I will update this post.
Great article, I like the part saluting your monitor with one finger :-)
Hi, thanks for sharing theses tips !
However, the link about setup Root Authorities is broken :(
Another question : Where can I pick the IssuerID value to use in my web.config ? Is it the Id of object returned by the New-SPTrustedSecurityTokenIssuer cmdlet ?
How to publish this in on-premise app stores (Organization app store)?
We keep getting an error which states that the SPAppToken is blank and Azure Access Control Services is not available. This is a self contained on prem app (not using o365 or azure)
is SPAppToken related to Azure ACS and is this why SPAppToken is blank?
Do I need to install and configure Azure ACS on a on-prem environment? If so, what do i install... i thought this was installed a pre-req for SP2013... if not, is there a configuration to turn this off?
Great Article! I like the salute part humor.
The Fiddler troubleshooting tip and the information on clientId was exactly what I needed. Thanks so much!
I have tried everything here and I'm still getting 401.
I've been having this problem for a few weeks now, I don't know what else to try...
Hi, I have successfully created a provider hosted app in my machine, having IIS & SharePoint 2013 both.Now I want to deploy the app to another machine(in premises) which have IIS + SharePoint 2013.I followed every article published, but still unable to get the thing working. Please help me, below is the stuck points. 1. I am able to get the app page(default.aspx-inside Web project), after adding the app.2. I am able to get the html controls & any response.write strings. Problem Facing area: 1. ClientContext ctx = new ClientContext("hosturl") : Failed here2. Used Kirk Ivans code & steps:(http://blogs.msdn.com/b/kaevans/archive/2013/02/23/sharepoint-2013-app-only-policy-made-easy.aspx") : Failed to resolve Token Helper-File not found & Private key not available(X509 error).3. Followed your coding, same error as above. Please help me how to resolve. Thanks in advance,Siva
after I enabled ssl in appweb hosted in remote web iis server, I received error access denied for my provider hosted app.( Access denied. You do not have permission to perform this action or access this resource. ),Please help me resolve this .
thanks in advance
Hi thanks for the great article. I got our provider-hosted app up and running on-prem using high-trust. However during user testing, they encountered a 401 issue after being idle in IE for a few minutes. It seems that the connection to SP has been lost.
The app is using kerberos with NTLM as fallback and the SP web app is configured to kerberos. Any idea would be great. Thanks