The issuer of the token is not a trusted issuer. [Beware of hidden characters]

There are a lot of articles related to this error message, typically seen when trying to run an on-premise SharePoint provider-hosted add-in in a high trust configuration.  I know because I read all of them.

For me, there was no (visible) evidence that the IssuerId in my web.config was different than the RegisteredIssuerName value of my Trusted Security Token Issuer entry.  I checked and rechecked it dozens of times.

Finally I put some tracing in the the code to see what was actually being sent to the SharePoint.  The creation of the authentication token is in the TokenHelper.cs class in the IssueToken method (about line 778).  Line 796 is where it gets the issuer id value.

token-helper-code

Here’s the screenshot of our trace log file reporting out the value being read from the web.config.  Notice anything unusual?

issuerid-hidden-character

There are some warnings related to cutting-and-pasting the Certificate Serial number picking up hidden characters – but somehow our entry in the web.config for the IssuerId also got a hidden character inserted in.  The “??” is passed along as part of the issuer ID value and causes the mismatch.

I manually retyped the line in the web.config, saved, and reran the app.  This time it came through clean with no errors simply because the values exactly matched.

By all appearances the values were the same, but the hidden character caused them to be different.

Add this to your checklist of things to review if you hit this error – hopefully it won’t take you several days like it too me and my team.

 

 

About the author

derek

Derek Smith is a software developer with 20 years of history developing on the Microsoft platform. He is the founder of HomeSpot HQ, and is the Director for Microsoft SharePoint Professional Services at rmsource, inc. in Raleigh, NC.

Derek is on Twitter, , and Linked In

Leave a Reply