Hybrid Search:JWT token is invalid. ACS50010: Validation of Audience URI(s) failed


Hello There,

Worked on an issue where duplicate Service Principal names were throwing below error:

1¾System.Net.WebException: The request was aborted: The request was canceled. ---> Microsoft.SharePoint.IdentityModel.OAuth2.SPOAuth2ErrorResponseException: [invalid_client] ACS50027: JWT token is invalid. ACS50010: Validation of Audience URI(s) '00000001-0000-0000-c000-000000000000/accounts.accesscontrol.windows.net@*****'failed. No match was found with allowed audience(s) 'https://accounts.accesscontrol.windows.net/tokens/OAuth/2','00000001

JWT token is invalid shows up primarily due to Incorrect or duplicate SPN value or an invalid/expired certificate that has been used to configure the ACS trust . Once you have ensured that the certificates do look good on each Onprem server you can then run below commands to check SPN.

How to Get SPN:

1. $spoappid: This is always "00000003-0000-0ff1-ce00-000000000000"

2. $app = Get-MsolServicePrincipal -AppPrincipalId "00000003-0000-0ff1-ce00-000000000000"

3. $app.ServicePrincipalNames

Here is the result of $app.ServicePrincipalNames

For eg: 

               00000003-0000-0ff1-ce00-000000000000/spocloud.com    (# duplicate!)

               00000003-0000-0ff1-ce00-000000000000/*.spocloud.com

               00000003-0000-0ff1-ce00-000000000000

               Microsoft.SharePoint

               00000003-0000-0ff1-ce00-000000000000/*.sharepoint.com

 

In above example the SPN *.spocloud.com is the web app url of Onprem server. Now I want to remove the SPN at position "0 " called spocloud.com

 

 How to clean up SPN:

 

After executing 1,2,3  above continue with rest of steps below:

 

4. $app.ServicePrincipalNames.RemoveAt(0)

5. Set-MsolServicePrincipal -AppPrincipalId $app.AppPrincipalId -ServicePrincipalNames $app.ServicePrincipalNames

6. $app (Make sure SPN looks good)

7. Get-SPServiceApplicationProxy | ? {$_.Name -eq "ACS"} | Remove-SPServiceApplicationProxy            #clean the proxy and certificate.

8. Remove-SPTrustedSecurityTokenIssuer –Identity

9. New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup

10. New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"


Comments (0)

Skip to main content