I was working on a build of SharePoint that is post beta 2 today, and found that one of my custom high trust apps I had built would no longer work. In looking at the ULS logs I was getting the dreaded “The issuer of the token is not a trusted issuer” error message. I think this is the equivalent of “generic error” for the new app model, because I seem to run into in multiple scenarios, none of which have been an actual certificate trust error yet. In any case, what I eventually determined is that there has been change since beta 2 in how certificates are used for high trust apps. When you create a new SPTrustedSecurityTokenIssuer, you have to provide a certificate that is going to be used. Depending on how you configure that SPTrustedSecurityTokenIssuer though will determine whether it can be used to sign OAuth tokens for a single application or multiple applications. In order to use it with multiple applications (as defined by the App ID, which will become the “client ID” when SharePoint ships), the SPTrustedSecurityTokenIssuer has to be configured as a trust broker. If you don’t do this (which you didn’t have to do in beta 2), then your SPTrustedSecurityTokenIssuer only works with one app.
The solution fortunately is easy enough – when you use the New-SPTrustedSecurityTokenIssuer cmdlet, there is an -IsTrustBroker flag that you can include. Just use that and you will be good to. Just another troubleshooting tip for that elusive “issuer of the token is not a trusted issuer” error. Actually now that I think about it I suppose you might even argue that this error fits this situation, in that the certificate that was used to sign the token is not trusted for that particular app. It’s a little less than crystal clear though, and probably somewhat confusing compared to the reasons you get this same error with the SPTrustedSecurityTokenIssuer’s big brother, the SPTrustedIdentityTokenIssuer.