Configure SharePoint Workflow Manager - The Definitive Guide

/ Andreas Glaser

How to: SharePoint step by step configuration of workflow manager with this definitive guide.


Applies to:

  • SharePoint Server Server Subscription Edition
  • SharePoint 2019

Install SharePoint Server Subscription Edition - The Complete E-Book:

Overview

Using workflows, you can model and automate business processes in SharePoint.

There are three different workflow technologies supported by SharePoint :

  1. SharePoint 2013 Workflow platform
    This platform is the recommended workflow platform by Microsoft [1]. Microsoft Workflow Manager is used to integrate workflows into SharePoint.

  2. Power Automate
    Power Automate is a new cloud-based workflow platform. It has two limitations:
    • Each related user must have a PowerApps Plan 1 license which is not part of the SharePoint Server license.
    • Microsoft Flow is currently optimized for non-interactive workflows.

  3. SharePoint 2010 Workflow platform
    This platform is supported for backward compatibility. If you want to create new Workflows please use one of the options above.

SharePoint provides workflows by using Microsoft Workflow Manager, which is based on Windows Workflow Foundation.

There are different tools to develop workflows [2]:

  • SharePoint Designer 2013
    SharePoint Designer is the primary tool to develop workflows. It’s installed on your local computer and connects to a SharePoint site (you have permission to).

  • Visual Studio
    Visual Studio is used to develop advanced workflows with custom actions and tasks that can interact with a custom application.

The end user interacts with workflows via a supported web browser like Edge, Firefox, or Chrome.

Back to top

Scenario

I used the following scenario to configure Workflow Manager for SharePoint .

There are different scenarios for installing and configuring Workflow Manager:

  • Install Workflow Manager on a SharePoint server. Communication takes place using HTTP or HTTPS.
  • Install Workflow Manager on a dedicated server that is not part of the SharePoint farm. Communication takes place using HTTP or HTTPS.


I'm going to use the following scenario to install and configure Workflow Manager:

Sceanrio for my SharePoint  Workflow Manager configuration

Details:

  • Workflow Manager will be installed on a dedicated server.

  • SharePoint is already installed and a Web Application + Site Collection has been created. The URL "http(s)://www.domserver.com" returns content, e.g. a team site.

  • A "Host (A)" entry for the sub domain "workflow.domserver.com" has been created using "DNS Manager". It points to the Workflows Manager server with IP address 192.168.137.4:
    I created a working URL pointing to the Workflow Manager server.

  • Communication between SharePoint and Workflow Manager takes place using HTTPS. If you don’t want to use HTTPS you can easily replace it with HTTP during the following process.

Back to top

Workflow Manager Download

SharePoint Workflow Manager downloads are issued through Web Platform Installer.

Download Web Platform Installer. The download is located at the bottom of the website:

Download Microsoft Workflow Manager from the bottom of the website.


Back to top

Requirements

There are different requirements for a successful installation and configuration [4].

Please verify the following SharePoint Workflow Manager requirements:

  1. You need to use a SharePoint Farm Administrator account (e.g. spAdmin). This account needs the following permissions:
    • dbcreator and securityadmin on the SQL Server
    • Member of the "Administrators" group on every server where Workflow Manager will be installed.

    If you are unsure about specific SharePoint requirements please find more information here:

  2. Please create a domain account (e.g. spWFM) under which the Workflow Manager service will run. This must be a domain account.

  3. In SharePoint the App Management Service and Microsoft SharePoint Foundation Subscription Settings Service must be running.
    To successfully configure Workflow Manager the App Management Service and Microsoft SharePoint Foundation Subscription Settings Service must be running

  4. SQL Server that hosts Workflow Manager databases needs to be configured [5]:
    • "Workflow Manager communicates by using TCP/IP or Named Pipes. Make sure that the appropriate communication protocol is enabled on the SQL Server instance that hosts the Workflow Manager databases."
    • "The SQL Browser Service must be running on the SQL Server instance that hosts the Workflow Manager databases."

  5. Firewall has to allow communication over the following ports:
    • Workflow Manager Ports: 12290 & 12291
    • Service Bus Ports: HTTPS 9355 & TCP 9354
    • Message Broker Port: 9356
    • Internal Communication Port Range: 9000 - 9004

  6. (Self-signed) SSL certificates are not allowed to create certificate warnings in your web browser.

  7. Log on to the Workflow Manager server and successfully ping "www.domserver.com".

  8. Log on to the SharePoint server and successfully ping "workflow.domserver.com".

If you didn't successfully install SharePoint please do this first:


Also please make sure sure you have the newest SharePoint Cumulative Updates installed:


Back to top


Installation & Configuration

The following steps apply for every scenario mentioned above. You can change the steps based on your needs, e.g. http or https.

Install Workflow Manager

Install Web Platform Installer on the server where you want to configure Workflow Manager.

  1. Open Web Platform Installer and search for the term "Workflow". Please install "Workflow Manager 1.0 Refresh (CU2)" first:
    Download Workflow Manager 1.0 Refresh (CU2)

  2. After the installation has finished cancel the wizard.

  3. Close the Web Platform Installer and reopen it again so the current installation state is refreshed.

  4. Please install the newest Cumulative Update:
    Install the newest Workflow Manager cumulative update

Back to top

Configure Workflow Manager

You’re still logged on to the server where Workflow Manager is installed:

  1. Log on to the server where Workflow Manager is installed using a SharePoint Farm Administrator account (e.g. spAdmin)

  2. Open "Start > Workflow Manager 1.0 > Workflow Manager Configuration".

  3. Configure Workflow Manager with custom settings:
    Configure Workflow Manager with custom settings

  4. Configure the Farm Management database settings:
    Configure the Farm Management database settings

    Note: If you want SSL communication between your Workflow server and SQL Server make sure the firewall on SQL Server allows SSL traffic. Otherwise "Test Connection" will fail.
    Note: If you use SSL make sure you use a FQDN to reference your SQL Server instance. The common name in the SSL certificate must match the FQDN of the SQL Server instance.

  5. Configure the Farm Management database name:
    Configure the Farm Management database name

  6. Configure the Instance Management database name:
    Configure the Instance Management database name

  7. Configure the Resource Management database name:
    Configure the Resource Management database name

  8. Provide the Workflow Manager service account:
    Provide the Workflow Manager service account

  9. Enable "Auto-generate" certificates to use HTTPS for communication between SharePoint and Workflow Manager. If you want to use your own certificate uncheck "Auto-generate".
    Provide a password:
    Enable Auto-generate certificates to use HTTPS

    Note: The password is required if you want to join servers to the Workflow Farm later.

  10. Keep the default ports:
    Keep the default ports

  11. Please select the options you need:
    Please select the options you need
    Usually you can keep the default settings because most companies have a firewall enabled on the Workflow Manager server and want to use HTTPS.

  12. Provide a group of users that will manage the workflow farm:
    Provide a group of users that will manage the workflow farm

  13. Please proceed to the second page and configure the same settings for the Service Bus.

  14. Configure the Service Bus Farm Management database name:
    Configure the Service Bus Farm Management database name

  15. Configure the Service Bus Gateway database name:
    Configure the Service Bus Gateway database name

  16. Configure the Message Container database name:
    Configure the Message Container database name

  17. Select to use the same service accounts credentials as provided for Workflow Manager:
    Select to use the same service accounts credentials as provided for Workflow Manager

  18. Enable "Auto-generate" certificate. If you want to use your own certificate uncheck "Auto-generate".
    Re-use the same certificate generation key as provided for Workflow Manager:
    Enable Auto-generate certificate

  19. Keep the standard ports and enable firewall rules:
    Keep the standard ports and enable firewall rules

  20. Provide a group of users that will manage the Service Bus farm:
    Provide a group of users that will manage the Service Bus farm

  21. Review your settings and finish the configuration:
    Review your settings and finish the configuration

  22. After a couple of minutes, the installation process will finish:
    After a couple of minutes, the installation process will finish

Back to top

Install Workflow Manager Client

Workflow Manager client is automatically installed on the server where you installed Workflow Manager.

You still need to install the Workflow Manager Client to every server SharePoint runs on:

  1. Install and run Web Platform Installer on every SharePoint server.
  2. Search for "Workflow Manager Client" and install the newest version:
    Install the Workflow Manager Client on every server SharePoint runs on
  3. Please repeat the steps for all remaining SharePoint servers.

Back to top

Export Workflow Manager Certificate

The Workflow Manager certificate will be imported to SharePoint. Start with step 10 if you use your own certificate.

  1. Log on to the server where Workflow Manager has been installed with the account you used during installation, for example the SharePoint Farm Administrator account (e.g. spAdmin)

  2. Open Internet Information Services (IIS), select the "Workflow Management Site" and click "Bindings":
    Go to the bindings of your Workflow Manager site in IIS

  3. Edit the existing binding:
    Edit the existing binding

  4. View the SSL certificate:
    View the SSL certificate

  5. Click on the details tab and copy the certificate to a file:
    Click on the details tab and copy the certificate to a file

  6. The "Certificate Export Wizard" will guide you through the process.
    Don’t export the private key:
    Don’t export the private key

  7. Select the "DER encoded binary X.509 (.CER)" format:
    Select the right encoding

  8. Provide a file name and finish the export.

  9. Copy the file to a SharePoint server so it can be imported to SharePoint.

  10. Open "Central Administration > Security > Manage Trust":
    Open Central Administration > Security > Manage Trust

  11. Click "New" to create a new trust relationship:
    Create a new trust relationship

  12. Add a meaningful name:
    Add a meaningful name

  13. Select the certificate:
    Select the certificate

  14. Click "Ok" to finish the import.

  15. You can see the newly created trust relationship:
    You can see the newly created trust relationship

Back to top

Register Workflow Proxy in SharePoint

The Workflow Proxy has to be registered in SharePoint:

  1. Log on to a server where SharePoint has been installed using a SharePoint Farm Administrator account.

  2. Open Central Administration and go to: http://CENTRALADMINISTRATION/_admin/WorkflowServiceStatus.aspx
    Open Central Administration and verify the Workflow status

    The Workflow Proxy has not been registered yet.

  3. Open "SharePoint Management Shell" as an administrator and run the following command:

    Register-SPWorkflowService -SPSite "https://www.domserver.com" -WorkflowHostUri https://workflow.domserver.com:12290 -force
    Parameter SPSIte specifies a URL to an existing site collection.
    Parameter WorkflowHostUri specifies a URL to the workflow server.

    Register the PowerShell command to register the Workflow Proxy in SharePoint

    Important: You must use https for both URLs or http for both URLs. You can’t mix it.
    Note: For a non-SSL SharePoint site, the parameter "-AllowOAuthHttp" must be added.

  4. Refresh the workflow status page to verify if workflow is now connected to SharePoint:
    Refresh the workflow status page to verify if workflow is now connected to SharePoint

Please have a look at the next section if you get an error message during the registration process.


Back to top


Troubleshooting

I encountered the following issues during different installations of Workflow Manager.

Connection and SSL Certificate Issues

You want to register your Workflow proxy in SharePoint using "SharePoint Management Shell":

Error

Microsoft.Workflow.Client.InvalidRequestException: Failed to query the OAuth S2S metadata endpoint at URI 'https://SHAREPOINT-SERVERNAME/_layouts/15/metadata/json/1'.
Error details: 'An error occurred while sending the request.'.

HTTP headers received from the server - ActivityId: 43b6895a-6cec-44f7-a6b7-89efaaebd15e.
NodeId: WORKFLOW-SERVERNAME. Scope: /SharePoint. Client ActivityId : ce7cf99e-d231-1031-22d6-80126e9a7bda. --->

System.Net.WebException: The remote server returned an error: (400) Bad Request.

Reasons

One of the reasons can be connection issues:

Make sure you can connect towebsites

Another reason can be a certificate error if you open your SharePoint site:

Make sure there are no certificate issues


Solutions

Please make sure you can access "https://workflow.domserver.com:12290/" from your SharePoint server you run the management shell on:

Make sure you can access the Workflow Manager website from SharePoint

(Log in using an Workflow Manager Administrator account if required.)

Make sure you can access your Web Application you want to connect to Workflow Manager (e.g. https://www.domserver.com/) on the Workflow Manager server:

Make sure you can access the SharePoint site from Workflow Manager

Also make sure:

  • The certificate is issued for the URL you are using
  • Any self-signed certificate in a test environment should be added temporarily to the "Trusted Root Certification Authority" on the SharePoint server where you run the management shell and on the Workflow Server. Restart Internet Explorer and open the SharePoint site again.

Back to top

Permission Issues

You want to register your Workflow proxy in SharePoint using "SharePoint Management Shell":

Error

Microsoft.Workflow.Client.InvalidRequestException: Failed to query the OAuth S2S metadata endpoint at URI 'http://sp-2019-custom/_layouts/15/metadata/json/1'.

Error details: 'The metadata endpoint responded with an error. HTTP status code: Forbidden.'.

HTTP headers received from the server - ActivityId: 69be2f1d-dd90-4aaf-a6a3-442a4622432c.
NodeId: SP-2019-WORKFLO. Scope: /SharePoint. Client ActivityId : 037ff99e-82e9-1031-22d6-82a52cdc96c6. --->

System.Net.WebException: The remote server returned an error: (400) Bad Request.

Reason

The Workflow Manager service account doesn’t have permission to access the Web Application you want to connect to the Workflow Manager.


Solution

Open "Central Administration > Application Management", select your Web Application you want to connect to Workflow Manager and click on "User Policy":

Select your Web Application you want to connect to Workflow Manager and click on User Policy

Add the Workflow Manager service account and give it “Full Read” permission:

Add the Workflow Manager service account and give it Full Read permission


Back to top


Install SharePoint Server Subscription Edition - The Complete E-Book:

ffc6e7712777b42881365307e60598ea5085de78ad8ffaa499175599b4b57ef7