I recently changed the token signing certificate in my farm…it having expired from when I first changed it, since that is required to set up the trust with ACS in SharePoint Online for low trust apps and SharePoint hybrid features. Assume the longer the sentence the more unhappy I am about having to do it… 🙂
Well, of course as luck would have it once I finished all that up, all of my low trust and high trust apps broke. I expected my high trust apps to break, since I’ve blogged about this before. I wasn’t really expecting the full breakdown of my low trust apps as well though, even though I’ve also had to blog about that scenario before as well: https://samlman.wordpress.com/2015/03/02/updating-trust-between-onprem-farms-and-acs-for-apps-when-your-sharepoint-sts-token-signing-certificate-expires/.
Unfortunately, even using the tips in the previous blog post above did not fully solve my problems. Amazingly, I was getting 401 Unauthorized errors in my low trust apps, which I traced back to a “certificate is not from a trusted root authority” in the ULS logs. This is one of my favorite errors with the app model (ridiculously heavy sarcasm here), since they are so routinely generic and difficult to resolve. Not only that, but the error is a little looney tunes in this scenario if you ask me. What certificate is not trusted, and by whom? Does my local SharePoint farm not trust it’s own SharePoint STS token signing cert? That seems rather impossible. Does it not trust the Microsoft SharePoint Online ACS certificate? Equally illogical. Does SharePoint Online ACS not trust my local farm’s STS token signing cert? Seems like the only possible scenario. Without going through a bunch of boring PowerShell I will just say that I ran the code (for a second and then third time) to create a New-MsolServicePrincipalCredential, without success.
Finally, I just ran the Connect-SPFarmToAAD cmdlet again, but this time with every possible “Remove*” option it offers: -RemoveExistingACS -RemoveExistingSTS -RemoveExistingSPOProxy -RemoveExistingAADCredentials. After doing that and trying my low trust application again, it started working. Yay. Yet another Apps for SharePoint tip to keep handy.