xxx xxx

xxx xxx

  • NA
  • 55
  • 0

SharePoint 2016 workflow permission problem

May 9 2021 7:25 PM

I have a SP2016 site collection.The Farm is composed as follows: Domain server :DomainSPxxx Frontend server :FrontendSP Database server :DatabaseSP

The site collection has two extensions:

  1. default (http) - with Windows Auth access to the DomainSPxxx.com domain

  2. internet with mixed access (https) - with Windows Auth access to the DomainSPxxx.com domain and Form Based access with LDAP provider always associated with the DomainSPxxx.com domain

When a domain account authenticates with Windows Auth the username displayed is: [email protected] when it is connected with ldap it will be like '0#.f|ldapmember:userx|[email protected]'

On the extension default only the administrative accounts are used. This extension is used exclusively for service / maintenance activities. For example, the document search crawl is performed on it.

Problem. I have developed a workflow that performs operations on SP lists. Given that : The workflow manager is configured correctly The user profile is configured correctly That the two services are active. The Worflow app for the site is active and correctly configured throw appinv.asxp page StsApplication Pool Load profile is true Worflow can use app feature is active

Explain problem In practice, when the workflow from the https internet extension is launched, for each operation performed (for example reading records) and as if the system requires the presence of the domain user for the document library.

Example: user '0#.f|ldapmember:userx|[email protected]' collaborator on list 'TestList'. If the workflow performs a read operation on document library 'TestList' with user '0#.f|ldapmember:userx|[email protected]', this fails indicating resource access problems. I checked the SP log. Below is an except:

Exception occured in scope Microsoft.SharePoint.SPListItemEntityCollection.GetById. Exception = System.ArgumentException: Element does not exist. It may have been deleted by another user.*
 
Actually the element exists I tried to launch the query from url with Sharepoint api with user '0#.f|ldapmember:userx|[email protected]' connected and the data is returned
 
It is as if the calls made from the workflow claim access only through domain accounts authenticated with Windows auth. In the case of the above example it is not enough to give the right permissions on the collection for the account '0#.f|ldapmember:userx|[email protected]', but to make the calls work you must give the same permissions for the account [email protected]. Below is an extract from the log with some records that make me suspicious:
 
This is what I noticed:
 
Medium Name=Request (GET:https://testsite.domainspxxx.com/_api/web/lists(guid'xxxxxxxxx')/Items(8)) High Reached maximum number of failed machines based on ping results for this routing group Unexpected User-Agent is empty High Did not find token claim in token. ClaimType: 'scope'. High Did not find token claim in token. ClaimType: 'scp'. High Did not find token claim in token. ClaimType: 'clientappid'. High Did not find token claim in token. ClaimType: 'appid'. High Did not find token claim in token. ClaimType: 'roles'. High Token is for a windows account. Medium Couldn't find a user using property 'WorkEmail' of value '[email protected]' High GetUserProfile_RetrieveUser_Cache ExpectedFailure: Office.Server.UserProfiles. UserNotFoundException: An error was encountered while retrieving the user profile. at Microsoft.Office.Server.UserProfiles.UserProfileCache.GetUserData (UserProfileManager objManager, Nullable`1 recordId, Guid gAcct, String strAcct, Byte[] bSid, String strEmail, Boolean doNotResolveToMasterAccount) at Microsoft.Office.Server.UserProfiles.UserProfile.RetrieveUser(String strAcct, Guid gAcct, Byte[] bSid, Nullable`1 recordId, Boolean doNotResolveToMasterAccount, Boolean loadFullProfile, Boolean loadColleagueRecordIds, String strEmail) Medium Leaving Monitored Scope: (UserProfile.RetrieveUserFromCache) Execution Time=8.87822334961566; CPU Milliseconds=3; SQL Query Count=1; Parent=Executing the user mapping operation in GetMappedIdentityClaim() Medium Couldn't find a user using property 'SID' of value 'System.Byte[]' Unexpected SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: InputIdentity doesn't conatin a PrimarySid claim.
 
Thanks