There are a lot of articles related to this error message, typically seen when trying to run an on-premise SharePoint provider-hosted add-in in a high trust configuration. I know because I read all of them.
For me, there was no (visible) evidence that the IssuerId in my web.config was different than the RegisteredIssuerName value of my Trusted Security Token Issuer entry. I checked and rechecked it dozens of times.
Finally I put some tracing in the the code to see what was actually being sent to the SharePoint. The creation of the authentication token is in the TokenHelper.cs class in the IssueToken method (about line 778). Line 796 is where it gets the issuer id value.
Here’s the screenshot of our trace log file reporting out the value being read from the web.config. Notice anything unusual?
There are some warnings related to cutting-and-pasting the Certificate Serial number picking up hidden characters – but somehow our entry in the web.config for the IssuerId also got a hidden character inserted in. The “??” is passed along as part of the issuer ID value and causes the mismatch.
I manually retyped the line in the web.config, saved, and reran the app. This time it came through clean with no errors simply because the values exactly matched.
By all appearances the values were the same, but the hidden character caused them to be different.
Add this to your checklist of things to review if you hit this error – hopefully it won’t take you several days like it too me and my team.