I’ve compiled a script that can be used to validate some of the common issues with workflows getting 401 access denied beyond the user running the workflow doesn’t have proper permissions on the list or library.
Script Location:
https://github.com/BrentPerson/workflowAuthTS
What the Script will do:
- WFM Trust
- Check and validate the token signing certificate for the WFM trusted security token issuer against the WFM metadata endpoint listed in the trust
- It will also check the entire certificate chain if one exists
- It will also check each cert in the chain if it exists in the trusted root authority
- It will also ask you if you want to attempt to fix the issue by running the timer job “Refresh Security Token Service Metadata Feed”
- There is a 20 second sleep after starting the timer job before we check the trust again
- This will loop until the trust is valid or we tell the script we do not want to attempt to fix the issue
- Check and validate the token signing certificate for the WFM trusted security token issuer against the WFM metadata endpoint listed in the trust
- User Profiles
- This will check for the existence of a user profile(s) based on the provided, SPS-Userprincipalname, WorkMail, and/or SID properties.
- It will display the profile count and ask you if you want to display the profiles
- If you say yes it will list each profile object to console otherwise it’ll break out of script
- Workflow App Only Policy
- This will prompt for a web url so we can check if the workflow app only policy feature is activated
- If it is activated it will list all the workflow app ID’s listed for the web
- If it’s not activated it will ask you if you want to try and activate the feature
- If you do it will attempt to enable the feature for the web otherwise it’ll break out of script
- This will prompt for a web url so we can check if the workflow app only policy feature is activated
ULS Log Examples when this script would be useful
- #3 Workflow App Only Policy
- We can see that the Oauth request is an app only request but our app is not allowed to use the apponly policy
OAuth app principal Name=i:0i.t|ms.sp.ext|6966b269-8a6c-4fb3-8b16-234f8deadf6c@43d4a423-c0c5-49d1-943b-c808c34350d6, IsAppOnlyRequest=True, UserIdentityName=0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint, ClaimsCount=11
TenantScopedPerm=0, AllowAppOnlyPolicy=False, AppId=i:0i.t|ms.sp.ext|6966b269-8a6c-4fb3-8b16-234f8deadf6c@43d4a423-c0c5-49d1-943b-c808c34350d6.
It’s app only request, but the app i:0i.t|ms.sp.ext|6966b269-8a6c-4fb3-8b16-234f8deadf6c@43d4a423-c0c5-49d1-943b-c808c34350d6 is not allowed to use app only policy.
- We can see that the Oauth request is an app only request but our app is not allowed to use the apponly policy
- #2 User Profiles Duplicate UPN’s
- We can see below that we match on more than one profile based on the SPS-UserPrincipalName property when we should only match on one profile.
Error trying to search in the UPA. The exception message is ‘Microsoft.Office.Server.UserProfiles.DuplicateEntryException: GetUserProfileByPropertyValue: Multiple User Profiles found with propertyName ‘SPS-UserPrincipalName’ of specified value
The set of claims could not be mapped to a single user identity. Exception GetUserProfileByPropertyValue: Multiple User Profiles found with propertyName ‘SPS-UserPrincipalName’ of specified value has occured.
- We can see below that we match on more than one profile based on the SPS-UserPrincipalName property when we should only match on one profile.
- #2 User Profile doesn’t exist by UPN
- We can see below that we did not find any profiles for the identity claim specified
- When using OAuth with user context we must lookup the users profile to augment the claims in the OAuth token and we must only get one profile matching the UPN in the OAuth token.
Couldn’t find a user using property ‘{0}’ of value ‘{1}’.
Identity claims mapped to ‘0’ user profiles.
UserProfileException caught.. Exception Microsoft.Office.Server.Security.UserProfileNoUserFoundException: 3001002;reason=The incoming identity is not mapped to any user profile account in SharePoint. Possible cause is that no user profiles are created in user profile database. Contact your administrator.
- #1 Can’t resolve the issuer of the OAuth token
- We can see below that we are unable to resolve the issuer of the token.
- When dealing with Workflows and OAuth the issuer is the WFM outbound certificate.
- We will try to match the thumbprint to a trusted security token issuer.
SPApplicationAuthenticationModule: Invalid token or signature. Exception: System.IdentityModel.Tokens.SecurityTokenException: Invalid JWT token. Could not resolve issuer token.
Dr. SharePoint 
One thought on “Workflow 401 Access Denied Troubleshooter Script”