Approval Workflows are failing when SharePoint is in a child domain
Edit: this is now fixed in the WSS December CU package:
Description of the Windows SharePoint Services 3.0 hotfix package (Sts.msp): December 16, 2008
https://support.microsoft.com/default.aspx?scid=kb;EN-US;959644
Description of the SharePoint Server 2007 hotfix package (Coreserver.msp): December 16, 2008
https://support.microsoft.com/default.aspx?scid=kb;EN-US;959637
Let's take a look at this rather annoying issue. In this setup you have the following domains setup:
Parent domain: planets.com
Child domain: sharepoint.planets.com
Parent domain 2: mars.com
There is a two way transitive trust between the planets.com domain and the mars.com domain. You can verify this by setting up a share on planets.com and try to add a user from mars.com. SharePoint is installed and configured on sharepoint.planets.com.
On any Site Collection, you create a document library, list, or any other library that a workflow can be created against. Now, you create a custom SharePoint group, let's call it AppGroup, and you add a user from the mars.com domain. This group needs to have the Approval level rights applied. So, let's go and create a new Approval workflow. Let's set this workflow to start when a new item is added, and set the Approver to be the AppGroup you created. To fire that workflow off, let's upload a document. The workflow started. But, you need to finalize approval. When you do so, it fails with the dreaded "Unknown Error" error.
If you enable verbose logging and capture any errors for Workflow Infrastructure, the following error is thrown as the workflow is fired off for final approval:|
"WinWF Internal Error, terminating workflow Id# cc2390458923905892-43949204
System.SystemException: The trust relationship between the primary domain and the trusted domain failed."
Ouch. So what when wrong? You have a properly working two way trust, because you can add a user to a share on either DC, and people picker works. Well, there is a workaround! When creating your workflow, enable "Assign a single task to each group entered (Do not expand groups)", which I have shown below:
The one caveat to this is that you may run into performance issues if you have a lot of users in that group. But, if you have a few, say one or up to about three, that simply do approvals all day, this shouldn't be a performance issue. Tweaking, of course, may be needed.
Comments
Anonymous
November 21, 2008
PingBack from http://blog.a-foton.ru/index.php/2008/11/22/approval-workflows-are-failing-when-sharepoint-is-in-a-child-domain/Anonymous
December 02, 2008
Thanks for the work around! It would be nice if you can shed some light on what went wrong?Anonymous
December 13, 2008
My Friend Paul has Nice Post on Approval Workflows are failing when SharePoint is in a child domain