none
SharePoint Designer 2013 workflow goes to suspended status after start RRS feed

  • Question

  • Hi all,

    This is my first question on this forum, please help... :) My clients have been facing this issue for a while now.

    The below steps can be followed, to replicate the issue:-

    1. We create a SharePoint Designer workflow based on SharePoint 2013 workflow platform, say for list A. The workflow can be setup to start when a new item is created. The actions can be as simple as just sending a mail to some users.
    2. Now, an user who has contribute/edit/full control rights to the list A through a domain group only adds a list item, which triggers the workflow.
    3. The workflow goes to suspended status immediately, with an error similar to below:-

    Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401 {"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}} {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["7"]........

    Now, when we provision access to the same users directly to that list, the issue does not happen at all. The workflow completes successfully.

    For a workflow based on the 2010 platform, the issue does not happen either. The only way to replicate the issue is to provision access to a domain group, and triggering a workflow created on the 2013 workflow platform.

    Any ideas?

    Friday, August 18, 2017 12:27 PM

Answers

  • I have resolved the issue by first allowing the workflow to use app permissions, then wrapping all workflow confitions/actions inside an app step. We followed the steps mentioned in the article https://dev.office.com/sharepoint/docs/general-development/create-a-workflow-with-elevated-permissions-by-using-the-sharepoint-workflo.

    However, I am still not fully convinced why user permissions are not recognized normally for SharePoint 2013 workflows, when they are provisioned access through a domain group?

    I have confirmed that user profile sync has been set up with sync for both users and groups, and the group through which users have been provisioned access is part of the profile sync.

    • Marked as answer by SaintMarino Wednesday, August 23, 2017 10:59 AM
    Tuesday, August 22, 2017 11:27 AM

All replies

  • If this is for an on-premises installation then make sure that you have configured the user profile service and user profile Sync or import.  Make sure a sync has been run for both Users and Groups.  That sync of AD groups is how the workflow knows about the existence of AD groups and is required if you want to do workflows that have permissions in AD groups.

    Paul Stork SharePoint Server MVP
    Owner/Principal Architect: Don't Pa..Panic Consulting
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as 'answered' if this solves your problem.

    Friday, August 18, 2017 12:46 PM
  • If you go to the list settings and then "Permissions for this list" then Check Permissions button, what permissions are returned for both the user and the AD group?

    Stunpals - Disclaimer: This posting is provided "AS IS" with no warranties.

    Monday, August 21, 2017 3:21 PM
  • Hi Paul,

    Thank you for the reply.

    Ours is an on-premises farm, and I confirm that we have configured user profile service application and user profile sync. We are using SharePoint profile synchronization. We are also syncing both users and groups.

    The issue does not happen for workflows based on SharePoint 2010 workflow platform, is there any additional configuration needed for worflows based on SharePoint 2013 platform?

    Tuesday, August 22, 2017 8:44 AM
  • Hi,

    For both user and AD group, it shows the permission they have on the list: contribute.

    Tuesday, August 22, 2017 8:45 AM
  • Hi,

    can you test your workflow with new SharePoint group, while creating the group please make sure you have Who can view the membership of the group? under Group setting. 

    https://support.microsoft.com/en-gb/help/2839070/http-unauthorized-to-vti-bin-client-svc-sp-utilities-utility-sendemail


    SharePoint School | Blog- http://www.sharepoint-journey.com

    Tuesday, August 22, 2017 8:54 AM
  • I have resolved the issue by first allowing the workflow to use app permissions, then wrapping all workflow confitions/actions inside an app step. We followed the steps mentioned in the article https://dev.office.com/sharepoint/docs/general-development/create-a-workflow-with-elevated-permissions-by-using-the-sharepoint-workflo.

    However, I am still not fully convinced why user permissions are not recognized normally for SharePoint 2013 workflows, when they are provisioned access through a domain group?

    I have confirmed that user profile sync has been set up with sync for both users and groups, and the group through which users have been provisioned access is part of the profile sync.

    • Marked as answer by SaintMarino Wednesday, August 23, 2017 10:59 AM
    Tuesday, August 22, 2017 11:27 AM
  • Hi SaintMarino,

    Thank you for your sharing! It will be beneficial to others in this forum who meet the same issue in the future.

    Best Regards,

    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, September 8, 2017 1:52 AM
    Moderator