none
Token contains invalid signature.

    Question

  • Hello,

    I am trying to set up a workflow that will get some profile information from the user profiles and make that available in a list.  I have it partially working, but I have run into a snag. 

    So we have several SharePoint farms because our company is international.  Some of the basic profile information is sync'd with AD, so it is available at each farm.  However, some of the data is only on the users local farm, such as skills.  We have set up the profiles so that the users home location is the only place where the user will have their personal site and some of the more individual profile properties (like skills).  So if I am on farm A and I try to access the profile on farm A then everything works.  If I am on farm A and I am trying to access a profile on farm B then I get the error below.  

    Response Header: {"x-ms-diagnostics":["3000006;reason=\"Token contains invalid signature.\";category=\"invalid_client\""],"SPRequestGuid":["dc18bad0-700a-a065-85af-53b1e41614cf"],"request-id":["dc18bad0-700a-a065-85af-53b1e41614cf"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["3"],"SPIisLatency":["0"],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["Bearer realm=\"xfab\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@xfab,00000003-0000-0ff1-ce00-000000000000@xfab,00000003-0000-0ff1-ce00-000000000000@xfab,00000003-0000-0ff1-ce00-000000000000@xfab,00000003-0000-0ff1-ce00-000000000000@xfab\"","Negotiate","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4763"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Thu, 12 Jul 2018 15:21:30 GMT"],"X-RBT-SCAR":["10.49.0.208:203655268:2000"]}

    • I have already tried running the job "Refresh Trusted Security Token Services Metadata feed" as suggested on another forum post. 
    • I have also tried adding permissions of the farm and service account of farm A to farm B
    • I have tried having the web service call in an app step and also not in an app step
    • I have tried adding app permissions of farm A to the profiles of farm B with the app permissions set as
      <AppPermissionRequests>
          <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" />
      </AppPermissionRequests>

    Any idea where I need to add permission to farm B to allow farm A to access the profiles of farm B?

    Thanks,

    Eric

    jeudi 12 juillet 2018 16:04

Toutes les réponses

  • Hi,

    Have you configured server-to-server authentication between farms?

    Information about how to share service applications across farms in SharePoint Server:

    https://docs.microsoft.com/en-us/SharePoint/administration/share-service-applications-across-farms

    Best regards,

    Linda Zhang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    vendredi 13 juillet 2018 09:35
    Modérateur
  • Hi Linda,

    Yes, I have actually configured the server-to-server authentication already.  I sort of simplified my original question but we really have 5 farms across the globe.  Each farm has their own user profile service and to get the part working where people can follow sites and documents I have already had to set up the profile services to be published and consumed at each farm.  So site A has published site A's user profile service and sites B-E all consume it and visa versa.  It was quite a bit of configuration when I did that but the end result is that anyone from any site can follow sites and documents at other farms.

    I am double checking my settings though.  I will let you know if this leads to anything.

    Thanks,

    Eric

    vendredi 13 juillet 2018 15:22
  • Hi Linda,

    I have found that I did not grant permissions to the published "User Profile Service".  I did it for "Application Discovery and Load Balancer Service Application" and also for "Search Service", but I never did it for the "User Profile Service".  I tried it today and I was getting the error "The User Profile Application requires domain credentials for connection access."  I assume when I saw that before I just went on because my cross farm search and following features were all working. 

    Today I found at the bottom of the article at https://docs.microsoft.com/en-us/SharePoint/administration/set-permission-to-a-published-service-application that if you are setting permissions on the "User Profile Service" then you must use the consuming farms web application pool identity (domain\username).  So I have done this for the consuming farm, but I am trying to access the "User Profile Service" of farm B from Farm A's workflow service.  I have also added the domain account for our workflow service (on a separate application server) but I continue to get the same error.

    One thing I have noticed about the error message though, it has MicrosoftSharePointTeamServices":["15.0.0.4763"] in the message but our current version is 15.0.5023.1000.  Is it possible the token is somehow wrong because updates have been installed?  I doubt this should be the problem because search and following sites still seems to work fine, but I don't know what "Token contains invalid signature" means.  What is the signature, how do I see the signature, and what is a valid signature?

    Thanks,

    Eric

    vendredi 13 juillet 2018 21:24
  • Sorry, one more thing.  Here are the three most detailed messages I could find in the ULS.

    SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.   
     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)   
     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)

    SPApplicationAuthenticationModule: Error authenticating request, Error details: Header: 3000006;reason="Token contains invalid signature.";category="invalid_client", Body: {"error_description":"Invalid JWT token. Could not resolve issuer token."}

    Application error when access /_api/SP.UserProfiles.PeopleManager/GetUserProfilePropertyFor(accountName=@v,propertyName='SPS-Skills'), Error=Invalid JWT token. Could not resolve issuer token. 
     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)   
     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)

    vendredi 13 juillet 2018 21:46