SharePoint 2013 Workflow: Token contains invalid signature


I’ve run into this “Token contains invalid signature” issue with SharePoint and Project Server 2013 workflows a couple of times, and also referred to in the logs as Invalid JWT token – and the error shows “invalid client” too.  The symptom is the workflow starts but then shows as cancelled – and hitting the additional workflow information page for Project Server workflows and the information icon will give the error at the foot of the posting (for search engine consumption…) – and the forums tend to say that just wait a day and it goes away but no one that I could find knew what the overnight change was….  Well today wasn’t a day I wanted to wait – so I had a look around for which daily timer jobs might help things work.  I tried a few service restarts first – but finally found the “Refresh Trusted Security Token Services Metadata feed” timer job – clicked the Run Now button – then tried another workflow and all was good!

Refresh Trusted Security Token Services Metadata feed

I hope this helps someone – and I’d also like validation if this does work for you as I am not 100% sure it was what fixed my issue.  With these things that can just start working again it could have been something else.  Change in the wind perhaps? 

*** Update 1/14/2014 – Thanks to Hans Bellen of UMT for validating that this is the timer job – and he also had some other guidance:

– Make sure you run the WF as a non-system account

– If this is a new farm, run the following timer jobs in SharePoint

1.Workflow Auto Cleanup 
2.Notification Timer Job c02c63c2-12d8-4ec0-b678-f05c7e00570e   
3.Hold Processing and Reporting   
4.Bulk workflow task processing
5.Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]

*** End Update

Here is the full error information:

RequestorId: ab0ccadd-86a9-592e-40cb-22e59fbbf08d. Details: System.ApplicationException: HTTP 401 {"x-ms-diagnostics":["3000006;reason=\"Token contains invalid signature.\";category=\"invalid_client\""],"SPRequestGuid":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"request-id":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["114"],"SPIisLatency":["1"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["Bearer realm=\"5418e74f-0449-4a4c-a1be-ba58377ac362\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@5418e74f-0449-4a4c-a1be-ba58377ac362\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4535"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 13 Jan 2014 22:15:08 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

and the ULS logs will say something like:

01/13/2014 14:15:09.25    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    Application Authentication    ajez0    High    SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

01/13/2014 14:15:09.27    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    Application Authentication    ajezq    High    SPApplicationAuthenticationModule: Error authenticating request, Error details: Header: 3000006;reason="Token contains invalid signature.";category="invalid_client", Body: {"error_description":"Invalid JWT token. Could not resolve issuer token."}    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

01/13/2014 14:15:09.27    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    General    8nca    Medium    Application error when access /PWA/_vti_bin/client.svc, Error=Invalid JWT token. Could not resolve issuer token.   at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

Comments (26)

  1. Anonymous says:

    Thank you!!! Found that timer job, ran it, and life is good. BTW, I had previously been working on the WF server, and had had to nuke its certs and re-install the cert for the WFE server (Computer account, trusted root cert authorities). That had been preventing me from registering the WF server. With the correct cert installed, I could register OK, but then this “Token contains invalid signature” error was being returned on the WFE every time I tried to start a 2013 WF. Running the timer job fixed it.

  2. Gopinath says:

    It helped a lot. Thanks you so much.

  3. Sophie says:

    Thank you!

  4. Alex Dean says:

    That was just the ticket! thanks for posting this gem. saved me yet another headache

  5. Radeon78 says:

    It works thanks 🙂

  6. Bhavin Patel says:

    You made my day 😉 Excellent quick fix which save much time of mine…

  7. Hansraj Rathva says:

    Excellent…Its really magic. I am also getting this error and i tried to resolved it but could not able to resolve it. Now workflow is running fine.. Thanks

  8. Fello crafter says:

    Great help. Thank you.

  9. Ritesh Singh says:

    Great article…it’s works for me.

  10. Amit Lohogaonkar says:

    This is amazing tip and saved us from recreating wf farm! Thank you!!

  11. Sebastian Klatt says:

    Hi Brian,
    do you now if there are any prerequisites for this timer Job?
    I tried to find it on several SP2013 farms (with several patch levels, on is up-to-date until cu july 2014) but can’t find it under the Job Definitions on any of those farms (all have a limited set of Services activated and my issue is linked to an app, not
    a workflow, however the error is the same).

  12. Jeronimo says:

    Great, thanks!!!

  13. Lazermn03 says:

    Great Post!! Been trying to dive into an issue after upgrading to CU 2.0 for the workflow service and then ran into this after I got that all working again. Glad I didn’t have to wait a whole day.

  14. Nikhil Doomra says:

    Thanks it helped me!

  15. Alok says:

    Thanks. It helped me too!

  16. Jonathan Lizano says:

    Thank you very very very very very much!!!!!!! Really incredible!!!!

  17. Deb L says:

    Thanks this tip saved a lot of rework!

  18. Duc Lam says:

    it worked for me.
    thanks

  19. Adrian Holland says:

    U R a Legend – thanks

  20. Sylvain says:

    Timer job did the job !! 😉

  21. George says:

    worked for me….much better than just waiting a day. thanks

  22. Dr Sylvester Benson says:

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON)
    ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.

  23. eric fehn says:

    Thank you, this was my problem also after rebuilding the workflow service.

  24. Gianni says:

    Thank you. I installed Workflow Manager on a standalone server from scratch and this was the problem preventing me from running any workflows. I tried reinstalling everything to no avail. After running the 5 timer jobs everything was working fine.

  25. P_rashant says:

    It really help us to out from the workflow mess.. Thanks a lot 🙂