This post has been republished via RSS; it originally appeared at: SharePoint Support Blog articles.
Issue :
You configure Workflow Manager in your SharePoint 2019 Farm, post April 2020 CU, You can see that the 2013 workflows gets stuck started state, with the below error
Activity in progress
Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP to http://spwfe/sites/wflow/_api/web/lists(guid'2de4d558-bb27-4ce2-b324-6017708f0326') Correlation Id: Instance Id: 9ae4e9ed-17cb-4ff7-beed-246c11cd16b4
System.Net.WebException: The request was aborted: The request was canceled. ---> System.InvalidOperationException: None of the trusted issuers specified by the server's 401 challenge match the client's known issuer '00000005-0000-0000-c000-000000000000@7ae91871-1a30-47dd-b47e-5d988472a81e'. For reference, the following trusted issuers were returned by the server: 00000003-0000-0ff1-ce00-000000000000@7ae91871-1a30-47dd-b47e-5d988472a81e.
at Microsoft.Activities.Hosting.Security.OAuthS2SCredential.GetChallengeForKnownIssuer(OAuthS2SAuthenticationChallenge[] bearerChallenges, OAuthS2SPrincipal knownIssuer, OAuthS2SPrincipal& matchedIssuer)
at Microsoft.Activities.Hosting.Security.OAuthS2SSelfIssuedCredential.GetAuthorization(OAuthS2SAuthenticationChallenge[] bearerChallenges, HttpWebRequest request, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.AuthenticateInternal(String challenge, WebRequest request, OAuthS2SCredential credential, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
at System.Net.HttpWebRequest.ProcessResponse()
at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
--- End of inner exception stack trace ---
at Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
at Microsoft.Activities.Hosting.HostedHttpExtension.HttpRequestWorkItem.OnEndComplete(ScheduledWorkItemContext context, IAsyncResult result)
- Post installing the April 2020 CU KB 4484292 and KB 4484291, If you configure workflow manager with SharePoint and register the service. You can see that the 2013 workflows would get stuck in Started state with the above error
- Reason behind, the SPTrustedSecurityTokenIssuer which gets created when we Register the workflow service, has the RegisteredIssuerName incorrect
IsSelfIssuer : False
NameId :
RegisteredIssuerName : 00000005-0000-0000-c000-000000000000*
AuthorizationEndPointUri :
EndSessionEndPointUri :
TokenEndPointUri :
DefaultClientIdentifier :
ScopedClientIdentifier : {}
IdentityClaimTypeInformation : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
Description :
SigningCertificate : [Subject]
CN=WorkflowOutbound
[Issuer]
CN=WorkflowOutbound
[Serial Number]
53ABCFF2240DB3894CFA5607D577F712
[Not Before]
7/30/2018 11:29:37 AM
[Not After]
7/30/2023 11:39:36 AM
[Thumbprint]
48C56313310795AF1AAE0D6D8A1A6D671E26A032
AdditionalSigningCertificates : {}
MetadataEndPoint : http://server:12291/$System/$Metadata/json/1
IsAutomaticallyUpdated : True
Name : 00000005-0000-0000-c000-000000000000
TypeName : Microsoft.SharePoint.Administration.Claims.SPTrustedSecurityTokenService
DisplayName : 00000005-0000-0000-c000-000000000000
Id : 9854855e-cea8-457f-8293-e405d4055ffb
Status : Online
Parent : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager
Version : 1094647
DeploymentLocked : False
Properties : {}
Farm : SPFarm Name=SharePoint_2019_Config
UpgradedPersistedProperties : {}
-
- The expected RegisteredIssuerName should be 00000005-0000-0000-c000-000000000000@* since , '00000005-0000-0000-c000-000000000000@7ae91871-1a30-47dd-b47e-5d988472a81e' and
00000005-0000-0000-c000-000000000000* , Are not a match because the Registeredissuer "00000005-0000-0000-c000-000000000000*" would only match if no delimited value were passed.
- We have seen this as a reproducible issue and the product team will be looking further into this
Workaround :
You need to remove the existing SPTrustedSecurityTokenIssuer and the register it as below
Remove-SPTrustedSecurityTokenIssuer -Identity 9854855e-cea8-457f-8293-e405d4055ffb
New-SPTrustedSecurityTokenIssuer -Name "00000005-0000-0000-c000-000000000000" -MetadataEndPoint 'http://server:12291/$System/$Metadata/json/1' -RegisteredIssuerName "00000005-0000-0000-c000-000000000000@*"
Note : You can use either the http or https for metadataendpoint http://wfmuri:12291 or https://wfmuri:12290