Wednesday, November 25, 2015

SharePoint Workflow HTTP Unauthorized to...

This is an issue being discussed all over the internet and many articles suggest the number 1 fix for this as checking the existence of the user profile service and the user profile synchronization service as started. Also that is the best place to start looking into. 

In our case it was different. This was working well a few days ago and suddenly goes off without any notice. Now this is strange. The situation can be briefly summed up as this. 

  • Our domain controller is located in a separate network which is connected to this environment through a VPN.
  • I try to start the workflow through a PowerShell code. (Run as Administrator and impersonate the workflow start process to another user with necessary permission)
  • Workflow starts and display the following message in the status. 

Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP Unauthorized to http://sitename/_vti_bin/client.svc/web/lists/getbyid(guid'guid') Correlation Id: id Instance Id: id
The Windows Event Viewer shows something like this.



If you look at the ULS logs, it will display something like this.
  • SPApplicationAuthenticationModule: Failed to build cache key for user
  • SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:06791225-7720-4e8f-a93e-db2777db56d4'
  • SecurityTokenServiceReceiveRequest: LocalAddress: '<STSSiteName>/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:06791225-7720-4e8f-a93e-db2777db56d4'
  • SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer '00000005-0000-0000-c000-000000000000' is not self issuer.
  • Identity claims mapped to '0' user profiles. Claims: [nameid: '', nii: 'windows', upn: '', smtp: '', sip: ''], User Profiles:
  • UserProfileException caught.. Exception Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.     at Microsoft.Office.Server.Security.UserProfileIdentityClaimMapper.GetSingleUserProfileFromClaimsList
According to this log, I should not have a user profile for the particular mapping user. But if I go and check the user profile service, there is a user profile associated. 

Solution

Then there are a few things that need to be ensured before going to the worst case solution.

  • Make sure the user profile service up and running. 
  • Make sure the workflow initiator has a user profile associated.
  • Make sure the Security Token Service App Pool has Load User Profile property set to True as shown in the image below.


  • Make sure Distributed Cache is running.
If all the above did not work, then remove the user from the user information list of that particular site. Then add them again to the SharePoint groups as they were earlier. Now login to the particular site from the newly added SharePoint user so he will be added to user information list and have refreshed token mapping for the claims with the User Profile Service.

Then try starting the workflow manually. It shall start. 

1 comment:

  1. Liberty cannot be established without morality, nor morality without faith. See the link below for more info.

    #morality
    www.ufgop.org

    ReplyDelete