Workflow Suspended HTTP 500 Security Token Issue

Hi everyone,

Recently, I was working on interesting case. Someone told me that workflows in SharePoint are all suspended.

The environment is SharePoint 2013 and separate Workflow Manager in different server.

Without any introductions, workflows are all showing suspended state with error:

Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP InternalServerError to https://lol.contoso.local/_vti_bin/client.svc/web/lists/getbyid(guid’da2febde-ff47-4b11-bd71-785b004dbcdb’)/Fields?%24select=EntityPropertyName%2CTypeAsString Correlation Id: 18a9b439-f602-e9f9-a2eb-97474f55dc86 Instance Id: 12de845f-9ebe-49d7-bfdb-7802199fcb89

Or something like:

HTTP 500 ID3242: The security token could not be authenticated or authorized.. bla bla bla.

I restarted every single SharePoint server, i even restarted the workflow manager server, go through event viewer on all servers without any luck. I checked if there are any new windows updates installed, and the answer is no.

The SharePoint farm is running Nov 2015 CU by the way.

Many people are talking about making sure that the Claims to Windows Token Service is started in SharePoint server. Well it is started.

After digging around, i found this event log on one of the back end SharePoint servers:

An operation failed because the following certificate has validation errors:

Subject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US
Issuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US
Thumbprint: B6036254C45D04F8173CD9598A44DD1EF1CF9C39

Errors:

PartialChain: A certificate chain could not be built to a trusted root authority.
RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.

So I went to certificate console on the server, Computer Store, SharePoint ,Certificates:

Sharepoint STS Token error 232523

All these three SharePoint certificates when you open them, it shows that it cannot verify the identity of the certificate. This means that the SharePoint cannot locate the trusted root certificate for those three certificates.

SharePoint has a PKI Root Certificate called (SharePoint Root Authority). All what I need is to locate it and then import it to the Trusted Root Certification Authority node in the Certificate Console that I am already opening.

To pull that Root Certificate (Reference Link), open SharePoint PowerShell session and type:

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export("Cert") | Set-Content C:\SharePointRootAuthority.cer -Encoding byte

That’s it. Everything start working fine after that. I had to import that trusted root certificate to all my SharePoint servers’s Trusted Root Authority node.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s