SharePoint 2013 and Workflow Manager Farms

If you have introduced a Workflow Manager Farm (WFM), first of all good for you! I’m quite excited about what WFM offers and where it’s heading. However, it’s early days and there are (of course) a number of “gotchas”. One in particular has caught my attention on the last few WFM deployments I’ve worked on. Once the WFM is configured and you are attempting to register SharePoint, you may encounter this message:

Microsoft.Workflow.Client.InvalidRequestException: Failed to query the OAuth S2S metadata endpoint
at URI 'http://sitename/_layouts/15/metadata/json/1'. Error details: 'The metadata endpoint responded with an error. HTTP status code: Forbidden.'. HTTP headers received from the server - ActivityId: 4ab628ba-04df-4d36-9425-151a516a7244. NodeId: WORKFLOWHOST01. Scope: /WF - SiteName. Client ActivityId : 4bad9b8e-5231-40f6-a90b-b0775e78c815. ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.
at Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
at Microsoft.Workflow.Client.HttpGetResponseAsyncResult`1.End(IAsyncResult result)
at Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T content) -
-- End of inner exception stack trace ---
at Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T content)
at Microsoft.Workflow.Client.WorkflowManagementClient.SendRequest[T](HttpWebRequest request, T content)
at Microsoft.Workflow.Client.ScopeManager.PublishScopeInternal(ScopeDescription description, String[] pathSegments)
at Microsoft.SharePoint.WorkflowServices.WorkflowServerPairingContext.EnsureFarmScope(Boolean configureOAuth)
at Microsoft.SharePoint.WorkflowServices.PowerShell.RegisterSPWorkflowService.InternalProcessRecord()
at Microsoft.SharePoint.PowerShell.SPCmdlet.ProcessRecord()

So the simple way to verify the error would simply be navigating to the URI, in this example http://sitename/_layouts/15/metadata/json/1 and no doubt you will encounter the error first hand. However, we need to look at the message a little closer and specifically the “Failed to query the OAuth S2S metadata endpoint” part. To fix this particular error, simply follow these steps:

  • Ensure the Workflow Service Account is a member of the Local Administrators group on all Workflow hosts
  • Head over to “Manage Web Applications” in Central Administration and select the row of the appropriate Web Application you registered with WFM
  • Click “User Policy” from the ribbon and then click “Add Users”
  • Select the appropriate Zone for your environment
  • Add the WFM Service Account and select “Full Control” from the Permissions section (do not allow the account to operate as System!)
  • Click OK and try to register it again

If that still fails, try adding the -Force parameter and ensure you have declared a -ScopeName in your Register-SPWorkflowService cmdlet.
Don’t feel bad if you missed this step of WFM deployment. Although it’s part of the risual deployment process, it doesn’t seem to be common knowledge yet so many don’t realise it is required.

About the author