Recently, I was working on interesting case. Someone told me that workflows in SharePoint are all suspended.
The environment is SharePoint 2013 and separate Workflow Manager in different server.
Without any introductions, workflows are all showing suspended state with error:
Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP InternalServerError to https://lol.contoso.local/_vti_bin/client.svc/web/lists/getbyid(guid’da2febde-ff47-4b11-bd71-785b004dbcdb’)/Fields?%24select=EntityPropertyName%2CTypeAsString Correlation Id: 18a9b439-f602-e9f9-a2eb-97474f55dc86 Instance Id: 12de845f-9ebe-49d7-bfdb-7802199fcb89
Or something like:
HTTP 500 ID3242: The security token could not be authenticated or authorized.. bla bla bla.
I restarted every single SharePoint server, i even restarted the workflow manager server, go through event viewer on all servers without any luck. I checked if there are any new windows updates installed, and the answer is no.
The SharePoint farm is running Nov 2015 CU by the way.
Many people are talking about making sure that the Claims to Windows Token Service is started in SharePoint server. Well it is started.
After digging around, i found this event log on one of the back end SharePoint servers:
An operation failed because the following certificate has validation errors:
Subject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US
Issuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US
PartialChain: A certificate chain could not be built to a trusted root authority.
RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.
So I went to certificate console on the server, Computer Store, SharePoint ,Certificates:
All these three SharePoint certificates when you open them, it shows that it cannot verify the identity of the certificate. This means that the SharePoint cannot locate the trusted root certificate for those three certificates.
SharePoint has a PKI Root Certificate called (SharePoint Root Authority). All what I need is to locate it and then import it to the Trusted Root Certification Authority node in the Certificate Console that I am already opening.
To pull that Root Certificate (Reference Link), open SharePoint PowerShell session and type:
$rootCert = (Get-SPCertificateAuthority).RootCertificate $rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte
That’s it. Everything start working fine after that. I had to import that trusted root certificate to all my SharePoint servers’s Trusted Root Authority node.