locked
Workflow Manager Suspends Workflows - "Invalid JWT token" RRS feed

  • Question

  • Hi,

    I've installed Workflow Manager with the default settings described in this Technet article: http://technet.microsoft.com/en-us/library/jj193514.aspx. Everything seems to install just fine but when I create a very simple workflow test on an "Announcements" list which simple creates a Workflow History entry. However, the workflow immediately suspends with the following error which seems to be some kind of an authentication error. I am running the workflow logged on as a site collection administrator which is not 1. farm administrator or 2. the service ID that I input into the Workflow Manager Configuration Wizard.I also DO have profiles installed, the user running the workflow DOES have a profile and I DO have the App Management service application installed. In addition, I rebooted the SharePoint VM after the install

    Given that Workflow Manager, Workflow Manager Client 1.0 and Service Bus 1.0 are all running on the same server as Central Administration (since I only have the one SharePoint VM) perhaps the reference to "SAMEORIGIN" in the error means something?

    I've installed Workflow Manager with the same instructions on other farms in the past and not had this problem and wondering whether the June 2013 CU has introduced this error. . .

    Please help!

    Kathryn

    RequestorId: f17eeb99-00f1-d82f-0000-000000000000.
    Details: An unhandled exception occurred during the execution of the workflow instance.

    Exception details: System.ApplicationException: HTTP 401 {"error_description":"Invalid JWT token. Could not resolve issuer token."} {"x-ms-diagnostics":["3000006;reason=\"Token contains invalid signature.\";category=\"invalid_client\""],"SPRequestGuid":["f17eeb99-00f1-d82f-9859-d5b160369f87"],"request-id":["f17eeb99-00f1-d82f-9859-d5b160369f87"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"SPRequestDuration":["4"],"SPIisLatency":["0"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["Bearer realm=\"2b0ecd05-1b3e-4efd-a346-c7b309bf6fb5\",client_id=\"00000003-0000-0ff1-ce00-000000000000\",trusted_issuers=\"00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@2b0ecd05-1b3e-4efd-a346-c7b309bf6fb5\"","NTLM"],"X-Powered-By":["ASP.NET"],"MicrosoftSharePointTeamServices":["15.0.0.4517"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1; RequireReadOnly"],"Date":["Sun, 25 Aug 2013 22:22:02 GMT"]} at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)


    Kathryn Birstein, Senior SharePoint Architect

    Sunday, August 25, 2013 11:38 PM

Answers

  • Hi Steve,

    I installed the Workflow Manager on a second farm on another client set up exactly the same way as the first one I described in my beginning post above and got the "JWT Token" error. Then I WAITED until the next day to see if the error would clear like it did on the first farm AN IT DID.

    SO, it's clear that SOME TIMER JOB ran overnight that resolved the "JWT Token" error.

    SO WAIT A DAY, and see if it goes away. . .it would be nice to know what timer job fixes this, something to do with authentication no doubt. . .

    Kathryn


    Kathryn Birstein, Senior SharePoint Architect

    • Marked as answer by Lindali Wednesday, September 4, 2013 11:11 AM
    Tuesday, August 27, 2013 8:55 PM

All replies

  • Hi,

    Base on the description, an unhandled exception occurred during the execution of the workflow instance.

    I suggest you to use other account to test the workflow. Please make sure you are not using system account. Also please make sure User profile service is running and syncing with active directory. As I've found sometimes workflow tries to read user information from user profile service and if the user details missing in User Profile service, the workflow might get failed. The original error is "Token Contains Invalid signature" which means either the user is system account or the user doesn't exists in user profile.

    There is an article about the error message, you can refer to it: http://steve.thelineberrys.com/following-sites-across-farms-with-sharepoint-2013-mysites/

    More information:

    Troubleshooting Workflow Manager 1.0 Management and Execution: http://msdn.microsoft.com/en-us/library/windowsazure/jj193529(v=azure.10).aspx?ppud=4

    Best Regards, 

    Linda Li

    Monday, August 26, 2013 2:08 PM
  • As I indicated in my post, I am NOT using the system account to run the workflow, but a user ID that is site collection adminsitration. I am aware of that bug. Also, the User Profile Service is running and syncing so this is NOT the issue.

    Kathryn Birstein, Senior SharePoint Architect

    Monday, August 26, 2013 2:32 PM
  • Hi Kathryn,

    "Me too"!  I'm having the same issue on one of my servers.  Sounds like a similar setup - a single SP 2013 box with WF installed, separate SQL Server, separate DC.  I'm using a domain account in my services account OU, account's valid, did the installation logged on to the account & that did help with a timeout error I was getting when logged on with my own account, but still getting that same error message.  I did notice in the Service Bus log in the Applications & Services Logs a warning that STS cannot translate a particular SID; when I translate that SID to a user name it came back with "\", whatever that means.  But this is my best clue so far, I'll see if I can find anything further about that.

    I'm also using the June 2013 CU of SP2013.

    Steve


    Monday, August 26, 2013 6:44 PM
  • Hi Steve,

    WEIRDLY, the error cleared on one of my farms overnight. I speculated that it was because the Profile Sync ran again so I setup Workflow Manager on another far (different client though with almost the same configuration) got EXACTLY the same JWT Token error, refreshed Profiles and it didn't help. So whatever job ran overnight on the first farm that fixed the condition may fix it on the second farm as well. . .waiting till tomorrow to see if it is fixed and will update this forum when I check.. .

    Kathryn


    Kathryn Birstein, Senior SharePoint Architect

    Monday, August 26, 2013 7:05 PM
  • Hi Steve,

    I installed the Workflow Manager on a second farm on another client set up exactly the same way as the first one I described in my beginning post above and got the "JWT Token" error. Then I WAITED until the next day to see if the error would clear like it did on the first farm AN IT DID.

    SO, it's clear that SOME TIMER JOB ran overnight that resolved the "JWT Token" error.

    SO WAIT A DAY, and see if it goes away. . .it would be nice to know what timer job fixes this, something to do with authentication no doubt. . .

    Kathryn


    Kathryn Birstein, Senior SharePoint Architect

    • Marked as answer by Lindali Wednesday, September 4, 2013 11:11 AM
    Tuesday, August 27, 2013 8:55 PM
  • Hi Kathryn,

    I didn't believe, it could gets magically fixed during night, but the same thing happened to me on our environment. Yesterday I spent whole day trying to find a problem and today morning it is suddenly working. As you said, it would be really great to know which background process fixed it. Anyway thanks for sharing your experience !

    R.

    Thursday, August 29, 2013 6:57 AM
  • Great news! Anybody have any ideas what overnight process is FIXING THIS??

    Kathryn



    Kathryn Birstein, Senior SharePoint Architect

    Thursday, August 29, 2013 3:21 PM
  • I think I may have found the mystery job. Just hit this for the second time - and didn't want to wait around. Reviewed the daily timer jobs and "Refresh Trusted Security Token Services Metadata feed" looked a likely candidate.  Hit the Run Now button and tried my workflows - the dreaded cancellations stopped! If anyone else manages to validate this I'd be pleased to hear - just in case something else just happened to fix things in the background at the same time.

    Best regards,

    Brian.


    Blog | Facebook | Twitter | Posting is provided "AS IS" with no warranties, and confers no rights.
    Project Server TechCenter | Project Developer Center | Project Server Help | Project Product Page

    • Proposed as answer by Wim De Groote Saturday, February 8, 2014 1:25 PM
    Monday, January 13, 2014 10:38 PM
  • Thank you for this tip. I had a similar Token error message suspending SharePoint 2013 workflows. Run the timer job "Refresh Trusted Security Token Services Metadata feed" got rid of this problem for me.

    Kind regards,

    Wim De Groote

    Saturday, February 8, 2014 1:27 PM
  • I tried to run now the job without success. I'm still getting the same error. Any idea about other possible reason that causes this error?

    Regards,

    Francesco

    Monday, June 30, 2014 12:55 PM
  • Brian, 

    Thanks for the post. This worked for me as well!

    Tuesday, July 8, 2014 9:07 PM
  • Brian,

    Running the "Refresh Trusted Security Token Services Metadata feed" daily timer job fixed this issue for me.

    Thank you.

    Kind Regards,

    Giuseppe

    Wednesday, September 2, 2015 7:33 AM
  • worked for me.  Thanks!!!!!
    Wednesday, February 10, 2016 11:45 PM
  • I've got the same problem, read all the posts and done what other people did...without success. Does anybody have idea what else I could try? Our SP is a 2016, divided in two servers. 1 for the search, 1 for the rest.
    Thursday, March 9, 2017 8:38 AM
  • You are a life saver
    Monday, July 31, 2017 7:24 PM