SharePoint 2013 Workflow System.Security.Cryptography.CryptographicException: Access is denied

Question

I have configured SharePoint Workflow Manager for an on-premise SharePoint 2019 farm with no problems. However when trying to create a SharePoint 2013 workflow, the workflow can be saved but not published. The error is:

SharePoint 2013 Workflow errors were found when compiling the workflow. The workflow files were saved but cannot be run. System.Security.Cryptography.CryptographicException: Access is denied.

Request (POST:http://somesite.someplace.org/_vti_bin/client.svc/ProcessQuery)

Workflow Manager is running under an account in the local Administrators group, and I added a policy on the web application giving it full control to see if that would correct the error. There are no issues in IIS -- I can browse to the workflow service, the workflow farm status is good, proxy good, etc..

What else can I check?

Please find ULS below... Thanks in advance!

ULS:

System.Security.Cryptography.CryptographicException: Access is denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at Microsoft.SharePoint.SPSecurityContext.GetRsaUseKeyAlgorithm()
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties)
at Microsoft.SharePoint.SPSecurityContext.<>c__DisplayClassc.<GetProcessSecurityTokenForServiceContext>b__b()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurityContext.GetProcessSecurityTokenForServiceContext()
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcessTChannel
at Microsoft.SharePoint.Administration.SPServiceApplicationProxyBase1.GetChannel(Boolean requireDelegation, Uri address) at Microsoft.SharePoint.Administration.SPServiceApplicationProxyBase1.ExecuteOnChannel(Boolean requireDelegation, Action`1 codeBlock)
at Microsoft.SharePoint.AppManagement.AppManagementServiceApplicationProxy.GetScaleOutDatabaseMap()
at Microsoft.SharePoint.SPScaleOutDatabaseMap.GetMapCacheEntriesForProxy(ISPScaleOutDatabaseMapProvider mapProvider, Guid forceRefreshVersion)
at Microsoft.SharePoint.SPScaleOutDatabaseMap.GetMapEntry(ISPScaleOutDatabaseMapProvider mapProvider, Byte[] compositeKey, Guid forceRefreshVersion, Guid& version)
at Microsoft.SharePoint.SPScaleOutDatabaseMap.CreateSqlSession(ISPScaleOutDatabaseMapProvider mapProvider, Byte[] compositeKey, Guid forceRefreshVersion, Guid& version)
at Microsoft.SharePoint.SPScaleOutDatabaseCommandExecutor.Execute(ExecuteDelegate operation, ISPScaleOutDatabaseMapProvider mapProvider, SPSqlCommand command, Byte[] compositeKey)
at Microsoft.SharePoint.AppManagement.AppManagementServiceApplicationProxy.Execute(ExecuteDelegate operation, ISPScaleOutDatabaseMapProvider mapProvider, SPSqlCommand command, Byte[] compositeKey)
at Microsoft.SharePoint.AppManagement.AppManagementServiceApplicationProxy.GetApp(String appId)
at Microsoft.SharePoint.AppRegistration.GetAppInfo(String appId, Boolean throwIfNotExists)
at Microsoft.SharePoint.SPAppPrincipalManager.LookupInInternalDirectory(SPAppPrincipalIdentityProvider identityProvider, String nameIdentifier)
at Microsoft.SharePoint.SPAppPrincipalManager.LookupAppPrincipalInternal(SPAppPrincipalIdentityProvider identityProvider, SPAppPrincipalName appPrincipalName, Boolean onlyInExternalDirectory)
at Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.<>c__DisplayClassc.<LookupAppPrincipal>b__9(SPWeb elevatedWeb)
at Microsoft.SharePoint.WorkflowServices.SPWebWorkflowSecurityContext.LookupAppPrincipal(SPWeb web, String appId) StackTrace:
at Microsoft.Office.Server.Native.dll: (sig=163a6647-82b1-468c-b17b-8e03ae2ca42c|2|Microsoft.Office.Server.Native.pdb, offset=1065B)
at Microsoft.Office.Server.Native.dll: (offset=2017F)

Answer 1

Thanks for the links to the articles! Those are excellent. I checked everything mentioned several times and finally theorized that the reason for the ‘cryptographic exception - access denied' error was related to TLS. As a test, I added an AAM on my site (which is currently running on 80 and 443 with a cert). The new mapping used the server name, http, no cert.

Then I deleted the workflow manager proxy and re-added it using http only. After this, I was able to publish Workflow Manager 2013 workflows in SharePoint Designer using the AAM. This means that something with HTTPS proxy was causing the problem.

It looks like I will need to follow these steps - > https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2019. Then I can delete the current proxy and create it correctly with https. At this point, I have not done this so cannot say definitely that this is the answer, but it is the most likely solution. For now, though, I have a workaround.

Answer 2

@Kim Ryan

Whether all the 2013 workflows cannot be published or only one workflow?

Please follow below steps to troubleshoot the issue.

1.Make sure that you have configured Workflow Manager correctly and registered the Workflow Manager Service with SharePoint.

2.Go to Central Administration as Administrator -> System Settings -> Manage Services on Server -> Check whether the App Management Service is running.

3.Go to Central Administration as Administrator -> Application Management -> Manage Service Applications -> Workflow Service Application Proxy -> Make sure that the Workflow Service Application Proxy is connected.

4.Go to Services -> Make sure that following services are running.

(1)Service Bus Gateway
(2)Windows Fabric Host Service
(3)Service Bus Message Broker
(4)Workflow Manager Backend
(5)Service Bus Resource Provider

5.Check whether turn off the firewall.

If the issue persists, please clear SharePoint Designer 2013 cache and install Microsoft SharePoint Designer 2013 Service Pack 1 (SP1).

Reference:
Workflow Manager Health Checklist for SharePoint 2019

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.