Configuring Workflow Manager in SharePoint 2016

Workflow Manager is the engine for running list-based workflows in SharePoint. This guide covers configuration, registration, and troubleshooting for Workflow Manager 1.0 in SharePoint 2016.

Step-by-Step Setup

Recommended:

• SharePoint 2016 - Step by Step Installation of Workflow Manager (TechNet)

Common Problems & Solutions

Error: Register Workflow Proxy for SharePoint Servers

If you see an error at this step, use this fix:

• Workflow Manager Exception - SPWorkflowService failed to query the OAuth S2S metadata (Ahmed Madany blog)

cls
Add-PSSnapin microsoft.sharepoint.powershell
$config = (Get-SPSecurityTokenServiceConfig)
$config.AllowOAuthOverHttp = $true
$config.AllowMetaDataOverHttp = $true
# $config.Update()

Service Bus Stuck in “Starting” State

If Service Bus won't start, see:

• Running Service Bus Server on a legacy domain without a fully qualified domain name (MSDN)

Certificate Request Example

Use this config to request a certificate:

[Version]
Signature = "$Windows NT$"

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"

[NewRequest]
Subject = "CN=ksup-web"
KeySpec = AT_KEYEXCHANGE
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
MachineKeySet = true
RequestType = cert
Exportable = true
KeyLength=2048
ValidityPeriodUnits = 5
ValidityPeriod = Years
HashAlgorithm = sha256

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}"
_continue_ = "DNS=<HOST>&"
_continue_ = "DNS=<HOST>&"

%szOID_ENHANCED_KEY_USAGE% = "{text}"
_continue_ = %szOID_PKIX_KP_SERVER_AUTH%

Service Bus host reconfiguration:

cls
Remove-SBHost
# Get-SBFarm -SBFarmDBConnectionString "Data Source=<HOST>;Initial Catalog=ServiceBus_Management_DB;Integrated Security=True;Encrypt=False"
# Set-SBCertificate -EncryptionCertificateThumbprint <THUMBPRINT> -FarmCertificateThumbprint <THUMBPRINT> -SBFarmDBConnectionString "Data Source=<HOST>;Initial Catalog=ServiceBus_Management_DB;Integrated Security=True;Encrypt=False"
Add-SBHost

Certificate Expired

Error:

The provided signing certificate is invalid according to its expiration claims.

Solution:

• Renew self-signed certificate for Service Bus and Workflow Manager (it-kb.ru)

Multiple Domains (e.g. mydomain and mydomain.local)

If you have several domains and get an error during the last step (adding host to Workflow Manager Farm):

Workflow Manager configuration starting. Configuring Workflow Manager runtime settings. The token provider was unable to provide a security token while accessing 'https://*:9355/WorkflowDefaultNamespace/$STS/Windows/'. Token provider returned message: 'The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.'

You need to request an SSL certificate that includes all domain names.

• Guide: Requesting an SSL Certificate for Multiple Domains

Example:

continue = "dns=www.maindomain.com&"
continue = "dns=www.domain2.com&"
continue = "dns=maindomain.com&"
continue = "dns=domain2.com&"

After that:

1. Launch Workflow Configuration Manager.
2. On the first step, select Auto Generate Certificate.
3. On the second step (Service Bus configuration), uncheck Manual Configuration, and attach the newly created multi-domain certificate.
4. Make sure the certificate is installed in the Trusted Root Certification Authorities store.

With these steps completed, Workflow Manager should be correctly configured and fully operational—even in complex domain environments.