Workflow Manager Setup and Configuration Error

Hasan Köroğlu 46 Reputation points
2022-03-20T20:51:08.177+00:00

I've a problem with Workflow Manager Configuration and Setup.

My environment is as below:

  • Service Bus 1.1 with TLS 1.2 Support installed
  • Service Bus 1.1 with TLS 1.2 Support prerequisite Microsoft Azure Service Fabric installed
  • I've 2 AD accounts and a AD Security Group
  • WM.Setup AD User Account
  • WM.Service AD User Account
  • WM.Admins Security Group
  • WM.Setup is member of the Local Admin Group
  • WM.Service is RunAsAccount
  • WM.Admins is Admin Group
  • SP.Farm and SP.Setup accounts are member of the WM.Admins Security Group

The script that i use to configure and create Service Bus is as below:

New-SBFarm -SBFarmDBConnectionString "Data Source=spsql;Initial Catalog=$sbManagementDB;Integrated Security=True;Encrypt=False" -InternalPortRangeStart 9000 -TcpPort 9354 -MessageBrokerPort 9356 -RunAsAccount $wmServiceAccount -AdminGroup $adminGroup -GatewayDBConnectionString "Data Source=spsql;Initial Catalog=$sbGatewayDB;Integrated Security=True;Encrypt=False" -CertificateAutoGenerationKey $CertAutoGenerationKey -MessageContainerDBConnectionString "Data Source=spsql;Initial Catalog=$sbMessageContainer;Integrated Security=True;Encrypt=False" -Verbose;
Add-SBHost -SBFarmDBConnectionString "Data Source=spsql;Initial Catalog=$sbManagementDB;Integrated Security=True;Encrypt=False" -RunAsPassword $wmServiceAccountPass -EnableFirewallRules $true -CertificateAutoGenerationKey $CertAutoGenerationKey -Verbose;

My Problem:
When i use this script, Service Bus Message Broker stuck on starting. If i add the wm.service as a member of local admin group, and re-run the script, the service starts successfully.

Clues:
If the wm.service account is not member of the local admin group; when the script that i used above, is configuring Microsoft Service Fabric Host Service, its run as account is wm.service and the service seems as running. But the Service Bus Message Broker stuck on starting. I investigated further and found that when configuring Microsoft Service Fabric Host Service, the important xml file is not created as it should be. It creates the FabricHostSetting.xml file (under the C:\PorgramData\Microsoft\SF) but content of the file is incomplete. And in the event log, there are to many something like invalid address issues. If i add the wm.service account to the local admin group, Microsoft Service Fabric Host Service created the correct xml file as it sholud be. And Service Bus Message Broker start successfully.

Final:
Is the wm.service account has to be member of the Local Admin Group? If not, what i have to do?

Thanks.

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,328 questions
SharePoint Workflow
SharePoint Workflow
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Workflow: An orchestrated and repeatable pattern of business activity, enabling data transformation, service provision, and information retrieval.
571 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,934 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hasan Köroğlu 46 Reputation points
    2022-03-21T10:04:52.79+00:00

    Hi @Yi Lu_MSFT

    In the article that you refered; there is no explanation about "Workflow Manager Service Account has to be member of the Local Admin Group".

    For the best practice:

    1. Workflow Manager Setup Account has to be member of the Local Admin Group. This account used when running the wizard or run the New-SBFarm or Add-SBhost cmdlet.
    2. Workflow Manager Service Account has to be Domain Account. It's not has to be member of the Local Admin Group. For reference: http://www.harbar.net/articles/wfm1.aspx

    The RunAs User is the service account identity of the Workflow Manager services. For a three server farm again this must be a domain account. The necessary permissions for this account are applied when the Workflow Manager farm is created. Other than creating the service account and specifying it during the farm creation, nothing else is needed. If your organisation implements password policy for service accounts, there is a specific procedure using Windows PowerShell to update credentials within the farm.

    The only official doc is this https://video2.skills-academy.com/en-us/sharepoint/dev/general-development/set-up-and-configure-sharepoint-workflow-manager but this document is not so clear.

    One of the proper documentation on the internet is https://spgeeks.devoworx.com/configure-workflow-manager-sharepoint-2016/ The author of the article is SharePoint MVP

    And in this article there is no explanation about to add the Service Account to the local admin group.

    1 person found this answer helpful.
  2. Yi Lu_MSFT 17,481 Reputation points
    2022-03-21T08:24:48.557+00:00

    Hi @Hasan Köroğlu
    Yes, the wm.service account has to be member of the Local Admin Group.

    This is High-Level steps for installing Service Bus / Workflow Manager

    1. Create Service Account (Recommended)
    2. Create Admin Group (Optional)
    3. Download / Install binaries from media using Web Platform Installer
    4. Run Workflow Manager Configuration Wizard with local admin rights to server.

    You could refer to this article to learn more about Setup Microsoft ServiceBus / Workflow Manager:
    https://docs.zervicepoint.com/infrastructure/installer-workflowmanager/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Mohamed El-Qassas 1,396 Reputation points MVP
    2022-04-03T21:34:22.013+00:00

    As per my humble experience in installing and configuring Workflow Managers on Many SharePoint environments, you don't need to add the Workflow Manager Service account to the Local Administrator Group! Only accounts that should be added to the Local Administrator Group are

    1. SharePoint Administrator Account (During installation and installing new patch)
    2. SharePoint Farm account only when starting the User Profile Sync Service.

    Read more at SharePoint Service Account Best Practices 2019/2016

    Besides that, I would suggest creating two service accounts for the Workflow Manager

    1. ‘wfsetup’ to setup the workflow manager.
    2. ‘wfsrv’ to run the workflow manager services.

    Read more at Workflow Manager Services Accounts and Admin Groups

    Regarding the Service Bus Broker service stuck on starting, please check all common reasons that lead to this issue at Service Bus Message Broker Stuck on Starting

    Finally, I would suggest following up on the below articles step by step to get your workflow manager working as expected

    1. Install and Configure Workflow Manager SharePoint 2016 / 2019 Step by Step
    2. Workflow Manager Health Checklist for SharePoint 2019

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.