Wednesday, April 3, 2013

On-premise windows workflow server configuration with SharePoint 2013

[Environment background] Service Bus 1.0 and Workflow Manager 1.0 are installed on the same virtual machine.  SharePoint server 2013 and SQL Server are installed on another virtual machine.  They are in the same domain.

After registering the new workflow server with SharePoint through PowerShell command:

Register-SPWorkflowService –SPSite "http://hvApp2012.pw3.local/" –WorkflowHostUri "https://hvWF2012.pw3.local:12290" –AllowOAuthHttp

I can see "SharePoint 2013 Workflow" platform type when trying to create declarative workflow in SharePoint Designer 2013.

I can build the workflow. However, when trying to publish it, I got the error below.

System.InvalidOperationException: Operation failed with error Microsoft.Workflow.Client.ScopeNotFoundException: Scope '/SharePoint/default' was not found.  HTTP headers received from the server - ActivityId: f8958d89-6946-4e76-b502-b8669b68188e. NodeId: HVWF2012. Scope: /SharePoint/default/bc770e6d-619f-4d8d-9564-a97222b1afbc. Client ActivityId : 35ee0d9c-20f3-b0fb-0015-1deca478baeb. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.
   at Microsoft.Workflow.Com

(In an separate test environment, the workflow publishing is fine. But the workflow always cancels itself automatically after getting triggered)

It seems we need to specify workflow "scope" for the SharePoint site. But I cannot find it from MSDN sample code (Obviously, they really, really want everyone to move to Azure)

The PowerShell commands of "Workflow Manager 1.0" are here.

So I created a new scope as workflow manager "pw3\_wfManager":

New-WFScope -ScopeUri https://hvWF2012.pw3.local:12290/SP2013.PW3.hvApp2012.80

We can see the result:

$mycredentials = Get-Credential("pw3\_wfManager")
Get-WFScope -ScopeUri https://hvWF2012.pw3.local:12290/SP2013.PW3.hvApp2012.80 -Credential $mycredentials

Then grant the access rights of this scope to all users:

$SecurityConfig = New-Object Microsoft.Workflow.Client.Security.WindowsSecurityConfiguration("All Users")
$SecurityConfig.WorkflowAdminGroupName = "Users"
Set-WFScopeSecurity -ScopeUri https://hvWF2012.pw3.local:12290/SP2013.PW3.hvApp2012.80 -Credential $mycredentials -SecurityConfiguration $SecurityConfig

The reason that I use "WindowsSecurityConfiguration" instead of "OAuthWrapSecurityConfiguration", is because I can see the root scope information when open workflow server site https://hvwf2012.pw3.local:12290/ :

- <ScopeInfo xmlns:i="" xmlns="">
  <DefaultWorkflowConfiguration /> 
  <Description>Root Scope</Description> 
- <SecurityConfigurations>
- <ScopedSecurityConfiguration i:type="WindowsSecurityConfiguration">

If you got error message:

Authentication Failed. Valid credentials must be provided for one of the following protocols: Negotiate.

You can turn off "Anonymous Authentication" from workflow server IIS site settings. But don't forget to change it back after changing the scope security. Or else you will get "access denied" error when registering the workflow service.

After that, we can go back to SharePoint server to register the workflow service.

Register-SPWorkflowService –SPSite "http://hvApp2012.pw3.local/" –WorkflowHostUri "https://hvWF2012.pw3.local:12290" -Force -ScopeName "SP2013.PW3.hvApp2012.80"


  1. Is "Pw3\_wfManager" YOUR selected account or a system/built-in account to do the thing?

    1. That's a normal domain user account, used as service account.

    2. I just figured out: It is YOUR workflow manager account.

      Thanks anyway. :)

  2. Is https://hvWF2012.pw3.local:12290/SP2013.PW3.hvApp2012.80 addres of Zour web application_

  3. This comment has been removed by the author.

  4. ignore this post. Made it sound more complex than it really was: see this post:

    1. My post is a bit aged. I guess MS fixed some bug in the workflow server registration.

      I cannot recall any similar issue in this year (2014).