SharePoint 2019 – Issue with SharePoint 2013 workflows post April 2020 CU

This post has been republished via RSS; it originally appeared at: SharePoint Support Blog articles.

Issue :

You configure Workflow Manager in your SharePoint 2019 Farm, post April 2020 CU, You can see that the 2013 workflows gets stuck started state, with the below error

 

Activity in progress

Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP to http://spwfe/sites/wflow/_api/web/lists(guid'2de4d558-bb27-4ce2-b324-6017708f0326') Correlation Id: Instance Id: 9ae4e9ed-17cb-4ff7-beed-246c11cd16b4

System.Net.WebException: The request was aborted: The request was canceled. ---> System.InvalidOperationException: None of the trusted issuers specified by the server's 401 challenge match the client's known issuer '00000005-0000-0000-c000-000000000000@7ae91871-1a30-47dd-b47e-5d988472a81e'. For reference, the following trusted issuers were returned by the server: 00000003-0000-0ff1-ce00-000000000000@7ae91871-1a30-47dd-b47e-5d988472a81e.
at Microsoft.Activities.Hosting.Security.OAuthS2SCredential.GetChallengeForKnownIssuer(OAuthS2SAuthenticationChallenge[] bearerChallenges, OAuthS2SPrincipal knownIssuer, OAuthS2SPrincipal& matchedIssuer)
at Microsoft.Activities.Hosting.Security.OAuthS2SSelfIssuedCredential.GetAuthorization(OAuthS2SAuthenticationChallenge[] bearerChallenges, HttpWebRequest request, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.AuthenticateInternal(String challenge, WebRequest request, OAuthS2SCredential credential, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
at System.Net.HttpWebRequest.ProcessResponse()
at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
--- End of inner exception stack trace ---
at Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
at Microsoft.Activities.Hosting.HostedHttpExtension.HttpRequestWorkItem.OnEndComplete(ScheduledWorkItemContext context, IAsyncResult result)

 

 

 

- Post installing the April 2020 CU KB 4484292 and KB 4484291, If you configure workflow manager with SharePoint and register the service. You can see that the 2013 workflows would get stuck in Started state with the above error

 

- Reason behind, the SPTrustedSecurityTokenIssuer which gets created when we Register the workflow service, has the RegisteredIssuerName incorrect

 

IsSelfIssuer : False

NameId :

RegisteredIssuerName : 00000005-0000-0000-c000-000000000000*

AuthorizationEndPointUri :

EndSessionEndPointUri :

TokenEndPointUri :

DefaultClientIdentifier :

ScopedClientIdentifier : {}

IdentityClaimTypeInformation : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation

Description :

SigningCertificate : [Subject]

CN=WorkflowOutbound

 

[Issuer]

CN=WorkflowOutbound

 

[Serial Number]

53ABCFF2240DB3894CFA5607D577F712

 

[Not Before]

7/30/2018 11:29:37 AM

 

[Not After]

7/30/2023 11:39:36 AM

 

[Thumbprint]

48C56313310795AF1AAE0D6D8A1A6D671E26A032

 

AdditionalSigningCertificates : {}

MetadataEndPoint : http://server:12291/$System/$Metadata/json/1

IsAutomaticallyUpdated : True

Name : 00000005-0000-0000-c000-000000000000

TypeName : Microsoft.SharePoint.Administration.Claims.SPTrustedSecurityTokenService

DisplayName : 00000005-0000-0000-c000-000000000000

Id : 9854855e-cea8-457f-8293-e405d4055ffb

Status : Online

Parent : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager

Version : 1094647

DeploymentLocked : False

Properties : {}

Farm : SPFarm Name=SharePoint_2019_Config

UpgradedPersistedProperties : {}

 

- The expected RegisteredIssuerName should be 00000005-0000-0000-c000-000000000000@*  since ,  '00000005-0000-0000-c000-000000000000@7ae91871-1a30-47dd-b47e-5d988472a81e'  and

00000005-0000-0000-c000-000000000000* , Are not a match because the Registeredissuer "00000005-0000-0000-c000-000000000000*" would only match if no delimited value were passed.

 

- We have seen this as a reproducible issue and the product team will be looking further into this 

 

Workaround :

 

You need to remove the existing SPTrustedSecurityTokenIssuer and the register it as below 

 

Remove-SPTrustedSecurityTokenIssuer -Identity 9854855e-cea8-457f-8293-e405d4055ffb

 

New-SPTrustedSecurityTokenIssuer -Name "00000005-0000-0000-c000-000000000000" -MetadataEndPoint 'http://server:12291/$System/$Metadata/json/1' -RegisteredIssuerName "00000005-0000-0000-c000-000000000000@*"

 

Note : You can use either the http or https for metadataendpoint http://wfmuri:12291 or https://wfmuri:12290 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.