Least Privilege Configuration for Workflow Manager with SharePoint 2013

  • 發行項

I went about setting up Workflow Manager with SharePoint 2013 and found that there were plenty of articles and content that said "install this", "run this", but none of them really addressed the issue of a least privileged setup. So I figured it might do someone else some benefit to document this... (and, for what it's worth, I have spoken with the documentation team and the official TechNet documentation is being currently updated).

My configuration consists of the following servers:

  • Domain Controller - Contoso.com
  • SQL Server
  • SP2013-1
  • SP2013-2

For service accounts, I'm using the following:

  • CONTOSO\svcSetupAcct - SharePoint setup account (note, this is not the Farm account, but it is an account used to install SharePoint)
  • CONTOSO\svcWFAcct - RunAs account for WF
  • CONTOSO\svcSBAcct - RunAs account for Service Bus
  • CONTOSO\WFAdmin - domain group for WF Admin group
  • CONTOSO\SBAdmin - domain group for SB Admin group

According to the following link on TechNet: https://technet.microsoft.com/en-us/library/jj193451.aspx, the requirements for installation are local admin rights on the server where you are installing Workflow Manager and the SysAdmin role in the destination SQL Server. My gut feeling is that full sysadmin isn't required, but more likely something like dbcreator and maybe securityadmin (similar to SharePoint). However, since the TechNet documentation says sysadmin, then sysadmin it is.. (I've elevated the SQL rights for this account to sysadmin for the duration of the installation/configuration).

Installation/Configuration of Workflow Manager

Logon locally to SP2013-2 and install Workflow Manager. I'm not going to walk through the installation here as that is fairly straightforward, https://technet.microsoft.com/en-us/library/jj658588(v=office.15)#section4.

<Sample WF Manager Account Configuration Screenshot>

Once the service is installed, you then need to configure it using either the wizard or PowerShell. You can also walk through the wizard and then create a PowerShell script from the settings you choose in the wizard. Also, rather than show the screenshots for my wizard settings, I've listed above which accounts are being used where. The only other configuration that is relatively important for my setup is that I'm allowing HTTP (since it's a lab environment), auto-generating the certificates, and enabling firewall rules.

image

After you see green checkmarks, then the next step is where I got hung up on the least privileged configuration.

Registration with SharePoint Server 2013

Verify that Workflow Client 1.0 is installed on each web-front end (WFE) in the SharePoint 2013 farm.

Logon locally to one of the WFEs using an account that has the following rights:

  • member of CONTOSO\WFAdmins
  • member of SharePoint Farm Administrators
  • has been added to the ShellAdmin role for the target contentDb, refer to Add-SPShellAdmin

Open a SharePoint Management Console as administrator and execute the following PowerShell command:

Register-SPWorkflowService –SPSite “<site collection url>” –WorkflowHostUri “https://sp2013-2:12291” –AllowOAuthOverHttp

where:

  • -SPSite is the site collection where you want to bind the Workflow Manager
  • -WorkflowHostUri is the uri where you have installed and bound the Workflow Manager, including the port number
  • -AllowOAuthOverHttp is to allow non SSL traffic between the farms, but this would not be recommended in production

Verification

According to https://technet.microsoft.com/en-us/library/jj658588(v=office.15)#section6, you can validate that it worked by attempting to create a workflow through SharePoint Designer and verifying that you have the SharePoint 2013 workflow platform available.

Potential Errors

You may receive one of the following errors and I’ve commented each with the resolution I used:

ERROR

PROBLEM

RESOLUTION

Register-SPWorkflowService : The caller does not have the necessary permissions required for this operation. Permissions granted: None. Required permissions: WriteScope. HTTP headers received from the server - ActivityId: 5e2b96c5-f971-48c9-b3fd-405c3616e1c7. NodeId: SP2. Scope: /SharePoint. Client ActivityId : 8e592951-0027-40c6-b996-ba3dd194fdea.

CONTOSO\svcSetupAcct is not a member of the workflow admin group, CONTOSO\WFAdmins.

Add CONTOSO\svcSetupAcct to CONTOSO\WFAdmins and re-run Register-SPWorkflowService PowerShell cmdlet. You may need to logout and log back in to acquire an updated security token.

Register-SPWorkflowService -SPSite https://sp2013-1:31518 -WorkflowHostUri https://sp2013-2:12291 –AllowOAuthHttp Register-SPWorkflowService : Cannot open database "WSS_Content_WFTest" requested by the login. The login failed.

Login failed for user 'CONTOSO\svcsetupacct'.

CONTOSO\svcSetupAcct has not been granted ShellAdmin access to the WSS_Content_WFTest content database.

Grant CONTOSO\svcSetupAcct shell admin access to the desired content database using PowerShell similar to the following: Add-SPShellAdmin CONTOSO\svcSetupAcct –database (Get-SPContentDatabase WSS_Content_WFTest)

Register-SPWorkflowService -SPSite https://intranet.contoso.lab -WorkflowHostUri https://wf.contoso.lab:12290 Register-SPWorkflowService : Failed to query the OAuth S2S metadata endpoint at URI 'https://intranet.contoso.lab/_layouts/15/metadata/json/1'. Error details: 'The metadata endpoint responded with an error. HTTP status code: Forbidden.'. HTTP headers received from the server - ActivityId: b5163152-3e31-4809-a532-5e20d1320027. NodeId: WF. Scope: /SharePoint. Client ActivityId : b66b0ea4-d9a7-4d2d-8be8-3a0c58ab728c.

Incorrect use of parameters

Notice that the SharePoint site is non-SSL, but the parameter for –AllowOAuthHttp was not specified. For a non-SSL SharePoint site, the parameter –AllowOAuthHttp must be used.

Special thanks to a couple of my peers for their assistance during this investigation!

Joe Rodgers

Mike Pasco

Comments

  • Anonymous
    June 26, 2013
    It is exactly the post i was looking for. But i get error failed to add the account to buitinadministrator group while running it. Do it manually. Can you tell me what might be wrong?
  • Anonymous
    July 08, 2013
    Hi Sachin!At what point are you getting this error? You shouldn't be adding any accounts to the local Admin group through the wizard. The only account that needs local Admin rights is the account you are logged in with (your Setup Account).Brian
  • Anonymous
    October 09, 2013
    I like your post.  What accounts are you actually placing inside the SBAdmin group?I didn't see that, and please forgive me as I may have missed it.Thanks.
  • Anonymous
    October 09, 2013
    Hey Izzo,Thanks for the comment. I don't recall needing to add any specific user to the SBAdmin group for my testing, but then again I wasn't using Service Bus for anything other than the Workflow integration with SP2013. My assumption is that you would need an SBAdmin if you had a need to use Service Bus for other applications and needed to manage it more directly.Thanks!Brian
  • Anonymous
    March 28, 2014
    If you use only one server add the registry key named DisableLoopbackCheck = 1
  • Anonymous
    September 15, 2014
    I'm confused. You mention "Also, rather than show the screenshots for my wizard settings, I've listed above which accounts are being used where"Trying to figure out what accounts are being used where is that problem I'm trying to solve, and I don't see it anywhere in your article. Can you clarify?
  • Anonymous
    September 15, 2014
    Hi Trent,  The section I'm referring to is this one:  For service accounts, I'm using the following:  CONTOSOsvcSetupAcct - SharePoint setup account (note, this is not the Farm account, but it is an account used to install SharePoint)  CONTOSOsvcWFAcct - RunAs account for WF  CONTOSOsvcSBAcct - RunAs account for Service Bus  CONTOSOWFAdmin - domain group for WF Admin group  CONTOSOSBAdmin - domain group for SB Admin groupI can try to post some screenshots a bit later, but I'm not sure which part is confusing.
    • Anonymous
      October 07, 2016
      Hi Brian, I am getting the first error "Register-SPWorkflowService : The caller does not have the necessary permissions..." and I just want to be sure if the CONTOSO\svcSetupAcct is the account I used to install SharePoint? Thanks!
  • Anonymous
    September 17, 2014
    Trent,I posted a screenshot above with the WF account configuration and let me know if you need more explanation.thanks
  • Anonymous
    December 21, 2014
    Please, correct the last parameter in command:Register-SPWorkflowService –SPSite “<site collection url>” –WorkflowHostUri “http://sp2013-2:12291” –AllowOAuthHttp
  • Anonymous
    December 21, 2014
    Thanks, Andrew.. having a formatting problem so I just removed the extra highlighting... should be fixed now.
  • Anonymous
    April 07, 2015
    Thanks for the help but I have a quick question.  Which server is your Application Server, and which is your WFE?
  • Anonymous
    April 07, 2015
    Hey Rahul,For this exercise I don't believe I separated out the roles for SharePoint and all services were running on the same server -- sp2013-1.  Hope that helps!Brian
  • Anonymous
    July 05, 2016
    This is exactly the information I was looking for. It's helpful that installer generates PowerShell Script. It helped me a lot.
  • Anonymous
    January 10, 2017
    Thanks, You saved my time and it working fine for me