After installing and configuring Workflow Manager and Service Bus, I'm getting 403. RRS feed

  • Question

  • I've spent the day installing SharePoint 2013 on a Windows Server 2012 environment. This server is not the domain controller. Following instructions on how to install and configure Workflow Manager and service bus, it appears although I'm following the instructions (and I get no errors), something is not working.

    If I try to go to the website that it creates in IIS http://localhost:12291 I get a 403 error. Also if I perform the powershell query to get the port number "Get-WFFarm | ft WFMgmtHttpPort" I don't get any value returned to me.

    Until I validate that the Workflow Manager is installed and working, I will not attempt to pair it to the SharePoint 2013 farm. Which hopefully makes this a Workflow Manager question not a SharePoint issue.

    Can anyone offer any suggestions please? Should I even get a valid webpage if I hit localhost:12291? According to one walkthrough I've looked at I should get an XML display of workflow and security configurations.

    Monday, November 12, 2012 4:31 PM

All replies

  • I have discovered that if I open internet explorer as administrator, when I goto website http://localhost:12291 I no longer get a 403 error. I actually get the XML I was expecting.

    <?xml version="1.0"?>
    <ScopeInfo xmlns="" xmlns:i="">
    <Description>Root Scope</Description>
    <ScopedSecurityConfiguration i:type="WindowsSecurityConfiguration">

    • Proposed as answer by dhawalm Thursday, April 28, 2016 3:37 PM
    Tuesday, November 13, 2012 3:38 PM
  • I am experiencing the exact same issue, on my current build.

    I had also connected it to SharePoint, but SharePoint Designer is not showing the 2013 option

    i noticed in get-wffarm i only had one endpoint (ssl), which is working in a remote IE but thats it.

    InfoPath MVP | SharePoint 2010 MCITP & MCPD | Office 365 MCITP | CUBE4 SharePoint Blog |

    • Edited by Chris Grist Wednesday, November 21, 2012 5:07 AM
    Wednesday, November 21, 2012 4:40 AM
  • I'm getting the exact issue. Could any of the Microsoft guys have a look at this plz ?
    Sunday, December 2, 2012 9:05 PM
  • If website is working (as stated by MrCann0nF0dder), you have to register new web application as stated here:

    For HTTP use this (for HTTPS without "-AllowOAuthHTTP"):

    Register-SPWorkflowService –SPSite "http://myserver/mysitecollection" –WorkflowHostUri "" –AllowOAuthHttp

    an finally you have to check if farm is connected to this web-app.

    Central Admin > Application management > Manage web applications > "your web app" > Service connections (from ribbon) - there should be Workflow Service Application Proxy checked.

    Tuesday, December 4, 2012 3:17 PM
  • MrCann0nF0dder that's right - it should work with an elevated IE

    Chris, did you register Workflow Manager as Zimo stated and still are having issues with SPD?

    Aku, If your scenario is different than the above two, can you share more details?

    Tuesday, December 4, 2012 6:46 PM
  • My scenario is the same to MrCann0nF0dder.

    I tried with elevated IE, can get the xml returned with this xml. Reading its content I think it's working. (Root Scope, Active)

    However, publishing workflow child scope with a local app always timeout.

    I'm still investigating. Hope it's not because i installed it on Win 7.

    • Edited by AKUA28 Wednesday, December 5, 2012 5:18 AM
    Wednesday, December 5, 2012 5:00 AM
  • Aku, does it mean, that you can create 2013 workflows in SP designer?
    Wednesday, December 5, 2012 10:41 AM
  • Hi Zimo, I'm not using share point at all. I'm using VS 2012.
    Thursday, December 6, 2012 8:34 PM
  • I experienced the same two issues mentioned in this thread today.

    Regarding  the proper XML not appearing at <workflowhost>:12291 I was experiencing the same with an error message in Chrome saying the caller lacked read permissions, and 403 in IE. I had checked IIS, database permissions and connections and more. All of the setup messages and status checks were a-okay. I voted Zimo's comment as helpful because it cued me in to examine the service in Central Administration - where I found there was no administrator assigned to the workflow service. As soon as that was done, the workflow host site was brows-able.

    The resolution to SharePoint Designer not offering 2013 workflows as an option was in my case that there was an additional WFE on which I had not installed the Workflow Manager Client. This is noted with a bright yellow box in the section about configuring workflow with HTTP here:

    If puzzles are good for your BRAIN then SharePoint will keep it really healthy!

    Ramona Maxwell MCPD SharePoint 2010, MCITP SQL Server 2008

    Wednesday, January 16, 2013 9:55 PM
  • Ok to all above. I think we all have a MISS understanding here.

    The management site isn't a SITE. It's a REST API server for your WF client to subscribe / publish workflows.

    So accessing the management site using your browser has NO MEANING.

    Please use a client to talk to the management "site".

    I had my client running fine while still having chrome to give me the 403 error.

    when we see the name "Management Site" we immediately think it's a site with GUI that we can access from our browser. It is very missing leading in this case. lol

    Hope I'm right for all the above people.

    • Edited by AKUA28 Wednesday, January 16, 2013 10:56 PM
    • Proposed as answer by AKUA28 Wednesday, January 16, 2013 10:57 PM
    Wednesday, January 16, 2013 10:51 PM
  • Granted, calling it a 'site' is probably a misnomer but accessing it via the browser is meaningful as a diagnostic when you're trying to verify that everything is set up correctly, particularly if the client is not accessing it as yours was.

    If puzzles are good for your BRAIN then SharePoint will keep it really healthy!

    Ramona Maxwell MCPD SharePoint 2010, MCITP SQL Server 2008

    Wednesday, January 16, 2013 11:03 PM
  • Yes - it is indeed the management endpoint that needs to be accessed using the Workflow Management Client.


    Rajesh S

    Friday, January 25, 2013 7:30 PM
  • I am unable to run this cmdlet - Register-SPWorkflowService.

    Register-SPWorkflowService –SPSite "http://myserver/mysitecollection" –WorkflowHostUri "" –AllowOAuthHttp

    Error : Register-SPWorkflowService : Failed to query the OAuth S2S metadata endpoint at URI '_layouts/15/metadata/json/1'. Error details: 'The metadata endpoint responded with an error. HTTP status code: Forbidden.'

    Regarding Workflow Service Status : workflow is not connected

    SharePoint 2013 workflow requires a compatible workflow service configured with SharePoint such as Workflow Manager. The workflow service is either not installed or not configured

    Please let me know, if you have resolved the same or any idea how to resolve it??

    Friday, February 1, 2013 12:24 PM
  • Just a short question - did you run SharePoint Management Shell as administrator?


    Monday, February 4, 2013 12:41 PM
  • Hi all!

    There was the same problem. Everything is configured, but in Sharepoint Designer Workflow 2013 isn't available.  For a solution we carry out the following steps:
    1 .  Install Workflow Manager
    2 . Configuring WF by default (db server, login, password)
    3 . Start Internet Explorer as administrator and open localhost:12291 , you will must see the XML file
    4 . and only after step 3 , run cmdlet Register-SPWorkflowService

    It is important to open IE before run cmdlet Register-SPWorkflowService, else you must uninstall& install Workflow Manager, I try this 5 times  ))))

    Thursday, March 28, 2013 6:29 AM
  • Depending on installation of your server NTLM loopbacks are usually disabled.
    You problem might be related to NTLM or KERBEROS.
    To be sure that this is not a problem you can disable loopback check:

    However you can try first to use machine name and/or fully qualified name in URL.
    That means:
    if http://localhost:12291 does not work, http://yourmachine:12291 or http://yourmachine.yourdomain.lan:12291 might work.

    You problem is related to infrastructure and not to Workflow Manager.

    Answers described above are under assumption, that your user (who is running the browser) is permitted to talk to Workflow Manager at all. Usually setup will permit Local Admins.

    Damir Dobric

    Saturday, March 30, 2013 10:28 AM
  • Were you ever able to solve this?

    I have the CU1 installed and experiencing the exact same issue. I can publish 2013 Workflows using SharePoint Designer, however when trying to associate a workflow (reusable list WF) to a list I get a error.

    Unable to properly communicate with the workflow service.

    [SPException: Unable to properly communicate with the workflow service.]
       Microsoft.SharePoint.WorkflowServices.ApplicationPages.AssocWrkflPage.OnLoad(EventArgs ea) +4199
       System.Web.UI.Control.LoadRecursive() +95
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2936

    Cannot find anything in the event log, in the workflow debug log, nor in the ULS logs.

    When accessing localhost:12291 with IE i get a 403, when accessing it with IE as an administrator the XML is returned.

    I actually set up the WF farm again (deleted all databases in SQL, recreated the farm) and re-registered with SharePoint with -force. To no avail, same error message.

    Saturday, June 29, 2013 8:37 PM
  • As already mentioned above, this issue is not related directly to SPS and also not to Workflow Manager.
    If you cannot reach the URL (http:/hyz:12291/..) SPS will also not be able to reach the same URL.

    Note that if you use Kerberos and can reach it by for example http:/host1:... it does not mean that you will reach it by http://host2/... even if these two hosts point to the same destination. Additionally, if you can reach the service from other machine but not form local one it is also KERBEROS/NTLM issue.

    However if you CAN reach the URL as an admin, it is because default security configuration of Workflow Manager puts local admins in the group of users who can communicate with Workflow Manager Front End Service. You can change this with PowerShell.

    Damir Dobric

    Saturday, June 29, 2013 10:42 PM
  • Damir, very interesting!

    I know I can change the admin group of the workflow manager front end - I'm talking about my DEV system here though. The account I'm accessing the workflow with, starting the workflow instance with is always the same account.

    WF Manager & Azure Service bus all run under the "sp_developer" account. "sp_developer" is domain admin with the domain controller running on the single server machine. There are basically no other accounts involved (besides maybe the sp_webapp running the sharepoint application pool). Kerberos isn't configured either. Oh and lastly: sp_developer is not the "SYSTEM" account - SharePoint was installed with sp_install. It is a farm admin.

    The weird thing is that a couple of weeks ago it used to work, what changes I made to the system I don't know - but I want to figure out what is going on to understand the problem. Why is the access token used by the workflow service not granted access anymore (keep in mind that the WF is running under "sp_developer" who is farm admin). I get the error ""Invalid JWT token. Could not resolve issuer token" when associating a list workflow via SharePoint designer (I can't manually associate).

    Something is off here, and I'm trying to figure out how to debug it / monitor it / fix it.

    • Edited by Dennis Gaida Sunday, June 30, 2013 11:06 AM more info
    Sunday, June 30, 2013 11:05 AM
  • Invalid JWT token indicates that Workflow Manager is not in play. When you write "WF is running", what do you mean? WF is in fact always running under account of the Workflow Manager Service.

    The Front End of WfMgr authenticate by Windows Authentication and not by OAuth. Infernally, OAuth is used, but this is not transparent (visible) to developers and also not to SharePoint. 

    I assume that your JWT issue has possibly nothing to do with 403 in your very first question ?

    Damir Dobric

    Monday, July 1, 2013 10:03 PM
  • It might - I don't know as I can't find anything in the logs. I thought it was related.

    The "Workflow Manager Backend Service" is running as "sp_developer". With that I mean "WF is running" as in all services are configured / the workflow farm is configured and it is registered with SharePoint. I can also see that the WF was assigned an app principal.

    Monday, July 1, 2013 10:16 PM

  • I had same error but it is not problem for SharePoint.

    I removed Workflow Manager and reinstalled it by this instruction:

    Now, I have fine SharePoint 2013 and Workflow Manager on same server. And I still get 403 error from  http://localhost:12291 if i dont use "Run as administrator"

    • Edited by Lion-Smith Wednesday, August 28, 2013 7:10 PM
    Wednesday, August 28, 2013 1:45 PM
  • Hi

    I just installed workflow manager on the same svr as SP2013 and have the same scenario as Lion-Smith. Is there a fix.. all the above posting did not seem to make that clear.  Thanks

    Sunday, September 22, 2013 12:04 AM
  • absolute answer for me.

    i spend whole of my day to find problem. nobody has mention for this.

    I am grateful to zimo

    Wednesday, September 25, 2013 12:45 PM
  • I think I have the solution. I just installed Workflow Manager in my lab and had the same situation.

    I think what it comes down to is the group(s) used as the admin group for the Workflow/Service Bus farm and/or namespace. In my case, I created a domain group, added myself to it, and used it as the admin group. But my AD credential didn't have the updated ticket since I hadn't logged out/in since creating the group. So I did a reboot (wasn't thinking and should have just done a log out/in instead) to refresh my ticket. Now I'm able to access the site fine. 

    So, if other people get this issue, try logging out and back in. Hope this helps!

    Brian Laws

    Summit 7 Systems

    Wednesday, February 12, 2014 6:48 PM
  • Neeraj, 

    I have seen this error when the account used for Workflow manager is not farm admin.



    • Edited by SPTQs Wednesday, February 19, 2014 10:14 AM updated hyperlink
    Wednesday, February 19, 2014 10:09 AM
  • Nate,

     It worked for me .  Added the admin account used to install share point to farm admin account.



    Monday, March 17, 2014 8:08 PM
  • HI,

    I understand that it is a REST API Server. My query is, I am able to host my workflows (.xamlx) into workflow manager REST endpoint.  Can i now query the WF MGR REST endpoint from any rest client? When i did that i am not gettting the required json response.  pl. help.

    Tuesday, July 1, 2014 12:50 PM
  • I have below error in my environment when i click on any workflow.

    The I looked into ULS found interesting.

    Application error when access /_layouts/15/Workflow.aspx, Error=The remote server returned an error: (403) Forbidden.  
     at Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)    
     at Microsoft.Workflow.Client.HttpGetResponseAsyncResult`1.End(IAsyncResult result)    
     at Microsoft.Workflow.Client.ClientHelpers.SendRequest[T](HttpWebRequest request, T content)

    Then i registered the workflow and tried it worked like charm.

    Register-SPWorkflowService -SPSite "https://Sitecollection1/" -WorkflowHostUri "https://workflow:12290" -Force


    Monday, August 18, 2014 11:59 AM