SharePoint 2013 Workflow: Token contains invalid signature

I’ve run into this “Token contains invalid signature” issue with SharePoint and Project Server 2013 workflows a couple of times, and also referred to in the logs as Invalid JWT token – and the error shows “invalid client” too.  The symptom is the workflow starts but then shows as cancelled – and hitting the additional workflow information page for Project Server workflows and the information icon will give the error at the foot of the posting (for search engine consumption…) – and the forums tend to say that just wait a day and it goes away but no one that I could find knew what the overnight change was….  Well today wasn’t a day I wanted to wait – so I had a look around for which daily timer jobs might help things work.  I tried a few service restarts first – but finally found the “Refresh Trusted Security Token Services Metadata feed” timer job – clicked the Run Now button – then tried another workflow and all was good!

Refresh Trusted Security Token Services Metadata feed

I hope this helps someone – and I’d also like validation if this does work for you as I am not 100% sure it was what fixed my issue.  With these things that can just start working again it could have been something else.  Change in the wind perhaps? 

*** Update 1/14/2014 – Thanks to Hans Bellen of UMT for validating that this is the timer job – and he also had some other guidance:

– Make sure you run the WF as a non-system account

– If this is a new farm, run the following timer jobs in SharePoint

1.Workflow Auto Cleanup 
2.Notification Timer Job c02c63c2-12d8-4ec0-b678-f05c7e00570e   
3.Hold Processing and Reporting   
4.Bulk workflow task processing
5.Refresh Trusted Security Token Services Metadata feed [Farm job – Daily]

*** End Update

Here is the full error information:

RequestorId: ab0ccadd-86a9-592e-40cb-22e59fbbf08d. Details: System.ApplicationException: HTTP 401 {"x-ms-diagnostics":["3000006;reason="Token contains invalid signature.";category="invalid_client""],"SPRequestGuid":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"request-id":["b70e7628-6c00-49b5-a06a-db91bcf2c0ec"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["114"],"SPIisLatency":["1"],"Server":["Microsoft-IIS/8.0"],"WWW-Authenticate":["Bearer realm="5418e74f-0449-4a4c-a1be-ba58377ac362",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@5418e74f-0449-4a4c-a1be-ba58377ac362"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4535"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 13 Jan 2014 22:15:08 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

and the ULS logs will say something like:

01/13/2014 14:15:09.25    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    Application Authentication    ajez0    High    SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

01/13/2014 14:15:09.27    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    Application Authentication    ajezq    High    SPApplicationAuthenticationModule: Error authenticating request, Error details: Header: 3000006;reason="Token contains invalid signature.";category="invalid_client", Body: {"error_description":"Invalid JWT token. Could not resolve issuer token."}    529744b4-b81b-4728-b2f7-ddaebb0e6e1e

01/13/2014 14:15:09.27    w3wp.exe (0x2FB8)    0x1E88    SharePoint Foundation    General    8nca    Medium    Application error when access /PWA/_vti_bin/client.svc, Error=Invalid JWT token. Could not resolve issuer token.   at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadActor(IDictionary`2 payload)     at Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken)     at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext)    529744b4-b81b-4728-b2f7-ddaebb0e6e1e