Category: Workflows

Problem with 2013 Workflow Instance geting suspended with “There has been an error authenticating the request” massage

From time to time we are having an issues with SharePoint 2013 Workflows going to Suspended stage with the following error:

RequestorId: 647a2bdb-7a39-cb3c-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401
{"error_description":"The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the  configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."}
{"x-ms-diagnostics":["3001000;reason=\"There has been an error authenticating the request.\";category=\"invalid_client\""],"SPRequestGuid":["647a2bdb-7a39-cb3c-8ffa-98b63f3bf3a3"],"request-id":["647a2bdb-7a39-cb3c-8ffa-98b63f3bf3a3"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["11"],"SPIisLatency":["0"],"Server":["Microsoft-IIS\/7.5"],"WWW-Authenticate":["Bearer realm=\"043a66d5-9a15-4b10-aa86-217119f4b03a\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@043a66d5-9a15-4b10-aa86-217119f4b03a\"","Negotiate","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4771"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Mon, 24 Oct 2016 16:20:33 GMT"]}
   at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context)
   at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
   at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)

We also see the following error in the event log on Workflow Manager servers:

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          10/24/2016 6:09:00 PM
Event ID:      8306
Task Category: Claims Authentication
Level:         Error
Description:   An exception occurred when trying to issue security token: ID3242: The security token could not be authenticated or authorized..

For some reason Security Token Service Application stops issuing tokens or the token gets expired.

Workaround 1:
Recycle SecurityTokenServiceApplicationPool pool in IIS, terminate and resubmit all Suspended workflows. It will solve the immediate problem. For how to find out all 2013 Workflow instances in Suspended Status see the SharePoint 2013 – List of 2013 Workflow Instances (Suspended, Canceled) blog post
Workaround 2:
While is not a permanent solution, it is more systematic workaround. It seems that Claims provider breaks when for some reason or other the App Pool “SecurityTokenServiceApplicationPool”  account logs off unexpectedly. The solution is as suggested in the following blog: A COM+ application may stop working on Windows Server 2008 when the identity user logs off is to modify Local Group Policy setting ‘Do not forcefully unload the user registry at user logoff’ to not forcefully unload the registry and waits until no other processes are using the user registry before it unloads it.

“The policy can be found in the group policy editor (gpedit.msc)
Computer Configuration->Administrative Templates->System-> UserProfiles
Do not forcefully unload the user registry at user logoff

Change the setting from “Not Configured” to “Enabled”, which disables the new User Profile Service feature.

‘DisableForceUnload’ is the value added to the registry

Note issue applies happens on Vista, Windows 7 and Windows 2008 R2.”

That was another page in the Chronicles of SharePoint Bits, happy scripting!

How to find out the version of Workflow Manager components

For Workflow Manager Farm to function correctly all servers in the farm need to have the same version of DLLs installed. The bellow script will show version of Workflow Manager, Microsoft® Service Bus, Windows Fabric, and Workflow Manager Client installed on the server. It will check for both Service Bus version 1.0 and 1.1.

####################################################################################################
#
#  Author.......: David Shvartsman
#  Date.........: 10/14/2016
#  Description..: Workflow Manager components versions
#
#################################################################################################### 

$VersionInfo = @() 
if (Test-Path "C:\Program Files\Workflow Manager\1.0\Workflow\Artifacts\Microsoft.Workflow.Service.dll") {
    $VersionInfo += (Get-ChildItem -Path "C:\Program Files\Workflow Manager\1.0\Workflow\Artifacts\Microsoft.Workflow.Service.dll").VersionInfo 
}
if (Test-Path "C:\Program Files\Service Bus\1.1\Microsoft.ServiceBus.dll") {
    $VersionInfo += (Get-ChildItem -Path "C:\Program Files\Service Bus\1.1\Microsoft.ServiceBus.dll").VersionInfo
} elseif (Test-Path "C:\Program Files\Service Bus\1.0\Microsoft.ServiceBus.dll") {
    $VersionInfo += (Get-ChildItem -Path "C:\Program Files\Service Bus\1.0\Microsoft.ServiceBus.dll").VersionInfo
} 
if (Test-path "C:\Program Files\Windows Fabric\bin\FabricHost.exe") {
    $VersionInfo += (Get-ChildItem -Path "C:\Program Files\Windows Fabric\bin\FabricHost.exe").VersionInfo 
}
if (Test-path "C:\Program Files\Reference Assemblies\Microsoft\Workflow Manager\1.0\Microsoft.Workflow.Client.dll") {
    $VersionInfo += (Get-ChildItem -Path "C:\Program Files\Reference Assemblies\Microsoft\Workflow Manager\1.0\Microsoft.Workflow.Client.dll").VersionInfo
}
CLS 
$VersionInfo | FT FileDescription, ProductName, ProductVersion


If you removed Workflow Manager make sure the following all the underlying directories are gone as well. The UnInstaller is infamous for it and the subsequent reinstall will fail.

That was another page in the Chronicles of SharePoint Bits, happy scripting!

SharePoint 2013 – List of 2013 Workflow instances (Suspended, Canceled)

Here is the small script to generate a list of 2013 Workflow Instances. It generates a list of 2013 Workflows Instances that have not been completed successfully. It builds on the List of 2013 workflows generated by SharePoint 2013 – List of 2013 workflows.

####################################################################################################
#
#  Author.......: David Shvartsman
#  Date.........: 09/28/2016
#  Description..: List of 2013 Workflow instances (Suspended, Canceled)
#
####################################################################################################
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
  Add-PSSnapin "Microsoft.SharePoint.PowerShell"
}
CLS
$inputFile = "D:\temp\Workflows2013.csv"
$outputFile = "D:\temp\Workflows2013Status.csv"
$wfResults = Import-CSV $inputFile
$wfStatusResults = @()
CLS
ForEach ($item in $wfResults) {
    $spweb = Get-SPWeb $item.URL
    $list = $spweb.Lists[$item.ListName]
    #-- Getting a Workflow manager object to work with.
    $wfm = New-object Microsoft.SharePoint.WorkflowServices.WorkflowServicesManager($spweb)
    #-- Getting the subscriptions
    $sub = $wfm.GetWorkflowSubscriptionService()
    #-- Getting the specific workflow within the list of subscriptions on the specific list. (SP2010 associated workflows basically)
    $WF = $sub.EnumerateSubscriptionsByList($list.ID)
    #-- Getting a Workflow instance in order to perform my commands.
    $wfis=$wfm.GetWorkflowInstanceService()

    foreach ($listitem in $list.Items) {
        $wfissListItem = $wfis.EnumerateInstancesForListItem($list.ID, $listitem.ID) | Where-Object {(($_.Status -ne "Completed") -and ($_.Status -ne "Terminated")) }
        foreach ($wfisListItem in $wfissListItem) {
            $wfStatusResult = New-Object PSObject;
            $userid = $wfisListItem.Properties["Microsoft.SharePoint.ActivationProperties.InitiatorUserId"]
            $WFn = $WF | Where-Object {$_.ID -eq $wfisListItem.WorkflowSubscriptionId}
            $URL= "$($spweb.Url)/_layouts/15/Workflow.aspx?ID=$($listitem.ID)&List={$($list.id)}"
            $wfStatusResult | Add-Member -type NoteProperty -name 'URL' -value ($item.URL);
            $wfStatusResult | Add-Member -type NoteProperty -name 'ListName' -value ($item.ListName);
            $wfStatusResult | Add-Member -type NoteProperty -name 'Item' -value ($listItem.Title);
            $wfStatusResult | Add-Member -type NoteProperty -name 'ItemID' -value ($listitem.ID);
            $wfStatusResult | Add-Member -type NoteProperty -name 'Status' -value ($wfisListItem.status);
            $wfStatusResult | Add-Member -type NoteProperty -name 'UserStatus' -value ($wfisListItem.UserStatus);
            $wfStatusResult | Add-Member -type NoteProperty -name 'InstanceCreated' -value ($wfisListItem.InstanceCreated);
            $wfStatusResult | Add-Member -type NoteProperty -name 'LastUpdated' -value ($wfisListItem.LastUpdated);
            $wfStatusResult | Add-Member -type NoteProperty -name 'User' -value ($userid);
            $wfStatusResult | Add-Member -type NoteProperty -name 'WorkflowName' -value ($WFn.Name);
            $wfStatusResult | Add-Member -type NoteProperty -name 'FaultInfo' -value ($wfisListItem.FaultInfo);
            $wfStatusResult | Add-Member -type NoteProperty -name 'WorkflowUrl' -value ($URL);
            $wfStatusResults += $wfStatusResult;
        }
    }
    $spweb.Dispose();
}
$wfStatusResults | Export-csv $outputFile -NoTypeInformation

That was another page in the Chronicles of SharePoint Bits, happy scripting!

2013 Workflow: Setting Workflow App Principal Permission to Full

After rebuilding the farm and reinstalling WFM and republishing all the 2013 workflows (for the script to find all 2013 Workflows see the my following article: SharePoint 2013 – List of 2013 Workflows) we noticed that workflow will go into suspended state with the following error: “RequestorId: b5a9c167-bbc6-9aaa-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401 {“error”:{“code”:”-2147024891, System.UnauthorizedAccessException”,”message”:{“lang”:”en-US”,”value”:”Access denied. You do not have permission to perform this action or access this resource.”}}} {“Transfer-Encoding”:[“chunked”],”X-SharePointHealthScore”:[“0″],”SPRequestGuid”:[“b5a9c167-bbc6-9aaa-a993-68245992a37c”],”request-id”:[“b5a9c167-bbc6-9aaa-a993-68245992a37c”],”X-FRAME-OPTIONS”:[“SAMEORIGIN”],”Cache-Control”:[“max-age=0, private”],”Server”:[“Microsoft-IIS\/7.5″],”WWW-Authenticate”:[“Negotiate”,”NTLM”],”X-AspNet-Version”:[“4.0.30319″],”X-Powered-By”:[“ASP.NET”],”MicrosoftSharePointTeamServices”:[“15.0.0.4771″],”X-Content-Type-Options”:[“nosniff”],”X-MS-InvokeApp”:[“1; RequireReadOnly”],”Date”:[“Fri, 29 Jul 2016 13:50:47 GMT”]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation) …..”

Looking through ULS logs we also could see the following message: “Trusted provider is missing. Provider: ‘00000003-0000-0ff1-ce00-000000000000′”

2013 Workflow is a SharePoint application and it requires full access to Site Collection or Web Site. The following articles explain how to grant full Principal Permission to 2013 Workflow Application through GUI:  Workflow error in SP2013 related to App Step and Create Site From Template using SharePoint 2013 Workflow.

It is all alright to do it couple of time manually but it is not feasible for the several hundred existing workflows. That is where PowerShell save a day again.

Bellow is a function that will set App Principal Permission to Full on Site Collection Level:

####################################################################################################
# Author.......: David Shvartsman
# Date.........: 07/29/2016
# Description..: Setting 2013 Workflow App Principal Permission to Full #
####################################################################################################
if ((Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue) -eq $null) {
	Add-PSSnapin "Microsoft.SharePoint.PowerShell";
}
function setWorkflowAppPrincipalPermissionFull ($WebUrl, $ClienID) {
	$spweb = get-spweb $weburl
	$SiteURL = $spweb.Url
	while (!$spweb.IsRootWeb) {
		$spweb = get-spweb $spweb.ParentWeb.Url
		$SiteURL = $spweb.Url
	}
	$spweb.Dispose()
	$targetWeb = Get-SPSite $SiteURL
	$clientID = $ClienID
	$authRealm = Get-SPAuthenticationRealm -ServiceContext $targetWeb
	$AppIdentifier = $clientID + "@" + $authRealm
	$appPrincipal = Get-SPAppPrincipal -Site $targetWeb.RootWeb -NameIdentifier $AppIdentifier
	Set-SPAppPrincipalPermission -Site $targetWeb.RootWeb -AppPrincipal $appPrincipal -Scope SiteCollection -Right FullControl
}
$weburl = "http://myurl/sites/abc"
$ID = $subscription.PropertyDefinitions["SharePointWorkflowContext.ActivationProperties.WebId"]
setWorkflowAppPrincipalPermissionFull $url $id 

Additional Information:

Get-SPAppPrincipal
Set-SPAppPrincipalPermission
Create a workflow with elevated permissions by using the SharePoint 2013 Workflow platform
How do I set a SharePoint-hosted app’s permissions via PowerShell?
Workflow error in SP2013 related to App Step
Create Site From Template using SharePoint 2013 Workflow
How to retrieve all Apps installed on a SharePoint 2013 web application through Powershell
That was another page in the Chronicles of SharePoint Bits, happy scripting!

SharePoint 2013 – List of 2010 Workflows

Here is a small PowerShell code snipped to generate a list of 2010 workflows in SharePoint 2013 farm. The script is fairly strait forward and does not require a lot of explanation. The 2010 Workflows are part of the SharePoint Farm and stored in the list object. If you looking for a script to generate a list of all 2013 Workflows in the Farm see the following blog entry: SharePoint 2013 – List of 2013 Workflows

####################################################################################################
#
#  Author.......: David Shvartsman
#  Date.........: 05/21/2016
#  Description..: Output a list of all 2010 Workflows in the SharePoint 2013 Farm to a CSV file
#
####################################################################################################

if ((Get-PSSnapin 'Microsoft.SharePoint.PowerShell' -ErrorAction SilentlyContinue) -eq $null) {
  Add-PSSnapin 'Microsoft.SharePoint.PowerShell'
}
CLS
$spAssignment = Start-SPAssignment
$outputFile = 'D:\Temp\List_2010_Workflows.csv'
$output = '';
$wfResults = @();
$i = 0;
Write-Host 'Searching 2010 Workflows ....' -NoNewline;

# Get All Web Applications
$WebApps=Get-SPWebApplication
foreach($webApp in $WebApps) {
  # Get All Site Collection
  foreach ($spSite in $webApp.Sites) 	{
    # get the collection of webs
    foreach($spWeb in $spSite.AllWebs) {
      $wfm = New-object Microsoft.SharePoint.WorkflowServices.WorkflowServicesManager($spWeb)
      $wfsService = $wfm.GetWorkflowSubscriptionService()
      foreach ($spList in $spWeb.Lists) {
        foreach ($workflow in $spList.WorkflowAssociations) {
          if (( -not ( $workflow.Name -match 'Previous Version')) -AND ($workflow.IsDeclarative -EQ $TRUE)) {
            $i++
            $wfResult = New-Object PSObject;
            $wfResult | Add-Member -type NoteProperty -name 'URL' -value ($spWeb.URL);
            $wfResult | Add-Member -type NoteProperty -name 'ListName' -value ($spList.Title);
            $wfResult | Add-Member -type NoteProperty -name 'wfName' -value ($workflow.Name);
            $wfResult | Add-Member -type NoteProperty -name 'RunningInstances' -value ($workflow.RunningInstances);
            $wfResults += $wfResult;
          }
          if ($i -eq 10) {Write-Host '.' -NoNewline; $i = 0;}
        }
      }
    }
  }
}
$wfResults | Export-CSV $outputFile -Force -NoTypeInformation
Write-Host
Write-Host 'Script Completed'
Stop-SPAssignment $spAssignment

Happy Scripting!

SharePoint 2013 – List of 2013 Workflows

As part of the resent project we needed to get a list of all 2013 Workflows. The problem is that 2013 Workflows are registered as subscriptions to Work Flow Manager, that is not technically a part of SharePoint 2013 farm but a stand a lone component. As such you need to initiate a Workflow Service Manager and enumerate all subscriptions for a particular SharePoint List. In addition there is no clear way to distinguish between the all versions  of the workflow code.

There are a lot of scripts that will list 2010 Workflows but I was not able to find one for 2013 Workflows.

The following code enumerate throughout all Web Applications and generates the list of all 2013 Workflows in the SharePoint 2013 Farm. I do not have access to SharePoint 2010 farm but that script can be adapted to use in SharePoint 2010 as well. If you looking for a script to generate a list of all 2013 Workflows in the Farm see the following blog entry: SharePoint 2013 – List of 2010 Workflows

####################################################################################################
#
#  Author.......: David Shvartsman
#  Date.........: 05/11/2016
#  Description..: Output a list of all 2013 Workflows in the SharePoint 2013 Farm to a CSV file
#
####################################################################################################
if ((Get-PSSnapin 'Microsoft.SharePoint.PowerShell' -ErrorAction SilentlyContinue) -eq $null) {
  Add-PSSnapin 'Microsoft.SharePoint.PowerShell'
}
CLS
$spAssignment = Start-SPAssignment
$outputFile = 'D:\Temp\2013Workflows.csv'
$output = '';
$wfResults = @();
$i = 0;
Write-Host 'Searching 2013 Workflows ....' -NoNewline;

# Get All Web Applications
$WebApps = Get-SPWebApplication
foreach($webApp in $WebApps) {
  # Get All Site Collection
  foreach ($spSite in $webApp.Sites)    {
    # get the collection of webs
    foreach($spWeb in $spSite.AllWebs) {
      $wfm = New-object Microsoft.SharePoint.WorkflowServices.WorkflowServicesManager($spWeb)
      $wfsService = $wfm.GetWorkflowSubscriptionService()
      foreach ($spList in $spWeb.Lists) {
        $subscriptions = $wfsService.EnumerateSubscriptionsByList($spList.ID)
        foreach ($subscription in $subscriptions) {
          #$subscriptions.name
          #$subscriptions.PropertyDefinitions#._UIVersionString #_IsCurrentVersion
          $i++
          #excluding multiple version of the same workflow
          if (($spWeb.Url + $spList.Title + $subscriptions.Name) -ne $output) {
            $output = $spWeb.Url + $spList.Title + $subscription.Name    
            $wfID = $subscription.PropertyDefinitions["SharePointWorkflowContext.ActivationProperties.WebId"]        
            $wfResult = New-Object PSObject;
            $wfResult | Add-Member -type NoteProperty -name 'URL' -value ($spWeb.URL);
            $wfResult | Add-Member -type NoteProperty -name 'ListName' -value ($spList.Title);
            $wfResult | Add-Member -type NoteProperty -name 'wfName' -value ($subscription.Name);
            $wfResult | Add-Member -type NoteProperty -name 'wfID' -value ($wfID);
            $wfResults += $wfResult;
          }
          if ($i -eq 10) {Write-Host '.' -NoNewline; $i = 0;}
        }
      }
    }
  }
}
$wfResults | Export-CSV $outputFile -Force -NoTypeInformation
Write-Host
Write-Host 'Script Completed'
Stop-SPAssignment $spAssignment

Happy Scripting!13