Share via

Another Apps for SharePoint Tip with the Error "The issuer of the token is not a trusted issuer"

  • Article

I was working on a build of SharePoint that is post beta 2 today, and found that one of my custom high trust apps I had built would no longer work. In looking at the ULS logs I was getting the dreaded "The issuer of the token is not a trusted issuer" error message. I think this is the equivalent of "generic error" for the new app model, because I seem to run into in multiple scenarios, none of which have been an actual certificate trust error yet. In any case, what I eventually determined is that there has been change since beta 2 in how certificates are used for high trust apps. When you create a new SPTrustedSecurityTokenIssuer, you have to provide a certificate that is going to be used. Depending on how you configure that SPTrustedSecurityTokenIssuer though will determine whether it can be used to sign OAuth tokens for a single application or multiple applications. In order to use it with multiple applications (as defined by the App ID, which will become the "client ID" when SharePoint ships), the SPTrustedSecurityTokenIssuer has to be configured as a trust broker. If you don't do this (which you didn't have to do in beta 2), then your SPTrustedSecurityTokenIssuer only works with one app.

The solution fortunately is easy enough - when you use the New-SPTrustedSecurityTokenIssuer cmdlet, there is an -IsTrustBroker flag that you can include. Just use that and you will be good to. Just another troubleshooting tip for that elusive "issuer of the token is not a trusted issuer" error. Actually now that I think about it I suppose you might even argue that this error fits this situation, in that the certificate that was used to sign the token is not trusted for that particular app. It's a little less than crystal clear though, and probably somewhat confusing compared to the reasons you get this same error with the SPTrustedSecurityTokenIssuer's big brother, the SPTrustedIdentityTokenIssuer.

Comments

  • Anonymous
    January 01, 2003
    thanks

  • Anonymous
    January 01, 2003
    Good Article.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    September 18, 2014
    The comment has been removed

  • Anonymous
    March 01, 2015
    Hey, I'm an app guy, I like doing dev, but honestly - I may go hoarse screaming at my computer if