2. Fresh installation install WFM 1.0 Refresh(CU2) + CU5 with "SB 1.1 with TLS 1.2" (will install WFM 1.0 CU4 client)
Follow the below Steps
Offline installation steps.
1.
Please check the prerequisites for
Workflow Manager installation.
2.
Please see the below documentation to
determine which one applies. Net versions are installed:
3.
We recommend to be on the latest
versions of Workflow Manager and service bus to avoid any version compatibility
issues in the future.
4.
Login to the WFM primary server with
an administrator/farm administrator/service account. Check to see if your
RunAS account's farm account is part of the following groups; if not, it
needs to be added.
a.
Click to start
b.
Open Run and type the below command.
c.
Command: lusrmgr.msc
d.
"Go to groups"
e.
Examine your login account in the
groups listed below.
i.
Administrator
ii.
Distributed COM users
iii.
Remote Desktop Users
iv.
Windows Fabric Administrator
v.
Windows Fabric allows users
vi.
IIS users
vii.
Azure fabric Administrator
viii.
Azure Fabric allowed users.
5.
The installation account must have
the "sysadmin" role on the SQL server.
Please
find the references :
https://docs.microsoft.com/en-us/previous-versions/service-bus-archive/jj193011(v=azure.100)
6.
Copy the downloaded "Workflow
Manager" Zip file on to the WFM server and extract the file to the same
location.
7.
Please make sure web platform
installer 5.1 is installed on your WFM server which has internet connectivity.
a.
IF YES, go to step 8.
b. If not, please click on the following link and download the exe file, Web Platform installer https://www.microsoft.com/web/downloads/platform.aspx
8. Offline
package installation
- If you want to
install WFM 1.0 Refresh(CU2) + CU5 with "SB 1.1 with TLS 1.2"
(will install WFM 1.0 CU4 client)
- Check that all
required Registry Keys are enabled; if not, enable them.
- We are able to
add it using the below power shell script.
- Or we can add
it manually. Please find the below link to add the required registry keys.
13.
Below Registry Keys Values need to enable
Save
below Registry in TLSCheck.bat file.
Then
run this from an Admin command prompt or double click on it.
Click
on Run and type Regedit and click on OK.
The
Registry Editor will open.
Navigate
the below path and set the registry settings required.
1.
Make sure for TLS1.2 Service bus
upgrade find the below registries enabled
a.
If not please follow the below steps
to enable default registries
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaulTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaulTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\WinHttp]
TLS 1.0,
TLS 1.1 and TLS 1.2 enable all
"DefaultSecureProtocals"dword:00000A80
TLS 1.2
only enabled TLS 1.1 and TLS 1.2 disable
"DefaultSecureProtocals"dword:00000800(2048)
"DisableBranchCache"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\InternetSettings\WinHttp]
TLS
1.0, TLS 1.1 and TLS 1.2 enable all
"DefaultSecureProtocals"dword:00000A80
TLS 1.2
only enabled TLS 1.1 and TLS 1.2 disable
"DefaultSecureProtocals"dword:00000800(2048)
"DisableBranchCache"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy]
"Enabled"=dword:00000000
14. After
adding, proceed to further steps.
15. Proceed
to install the WFM offline package
16. Execute
below command one after one in Windows Power Shell (Run as Administrator)
17. Please
change the highlighted downloaded path accordingly before executing the
commands.
1.
WebpiCmdline.exe
/Products:ServiceBus_1_1_TLS_1_2 /XML:C:\WFM\All\feeds\latest\webproductlist.xml
/AcceptEula
2.
WebpiCmdline.exe
/Products:WorkflowManagerRefresh /XML:C:\WFM\All\feeds\latest\webproductlist.xml
/AcceptEula
3.
WebpiCmdline.exe
/Products:WorkflowCU5 /XML:C:\WFM\All\feeds\latest\webproductlist.xml
/AcceptEula
Note:
Please
change the WFM file package location in the above commands before executing.
v. Once completed with the workflow manager configuration process,
Proceed to configure the Workflow Manager configuration wizard. Once completed proceeding next steps
- Workflow
Manager installation and configuration is completed. All WFM certificates (SSL,
Outbound, Encryption and Farmcertificate)
should be present in MMC
19. Now (trusted, personal, and intermediate).Export SSL and outbound certificates to the local server.
20. Login to SharePoint central admin ---> Security ---> Manage Trust You need to upload the new SSL and outbound certificates to this location.
1. All SSL and outbound certificates should be present in all SharePoint servers(Front End Application Servers) MMC (trusted, personal, intermediate)
2. Check that the workflow client CU4 is installed on all SharePoint servers.
Another way to trust certificates
1. Enroll it as trusted security token issuer:
2. $trustcert= Get-PfxCertificate "C\Yourcertificatename.cer"
Where C is the assumed path of your certificate( You can change it) and update yours certificate name
3. Below is for Outbound certificte
4. New-SPTRustedRootAuthority -Name "YourWFMFarm" -Certificate $trustCert
5. Note: Update YourWFMFarm to your own farm information for the manage trust
6. Below is for SSL certificte
7. New-SPTRustedRootAuthority -Name "YourWFMFarm" -Certificate $trustCert
8. Note: Update YourWFMFarm to your own farm information for the manage trust
21. From the SharePoint Server Administrator SharePoint Management Shell, run the below commands to get the current WorkflowHostUrl used to register WFM with SharePoint and to validate the scope name..
$wfProxy =Get-SPWorkflowServiceAppliationProxy
$wfProxy.GetWorkflowServiceAddress((Get-SPSite -Limit 1 WarningAction SilentlyContinue))
Examples:
http://WFM.SharePoint.com:12290/SharePoint
http://WFM.SharePoint.com:12291/SharePoint
SharePoint default scope name. No scope name parameter needs to be added to Register-SPWorkflowService
22. Register WFM to SharePoint farm Administrative SharePoint Management Shell, run below command
Example:
Register-SPWorkflowService -SPSite "http://Webapplicationurl.com" -WorkflowHostUrl "http://WFM.SharePoint.com:12290/SharePoint " -AllowOAuthhttp -force
Or
Register-SPWorkflowService -SPSite "http://Webapplicationurl.com" -WorkflowHostUrl "http://WFM.SharePoint.com:12290/SharePoint " -scopename" " -AllowOAuthhttp -force
23. Change the value of SPSite & WorkflowHostUrl accordingly before executing the command.
24. SPSite -From SharePoint Central Admin\ Application Management \ Manage Web Application Select a Web app to user the SPSite. Does not matter which on since the Workflow Proxy will bind to all of them when set with default services.
25. To avoid users getting 401 errors when running 2013 workflows, run the below daily timer:
1. Run the timer job to ensure that is updated throughout the farm.
2. A farm SharePoint central Administrator\Monitoring\Timer Job defenations\Run daily timer jobs: Refresh Trusted Security Services Metadata feed
[Farm job-Daily] - Run now
3. Go to manage your timer job as per :
4. Look for "Refresh Trusted Security Token Services Metadata feed Time Job"
5. Choose "Run Now"
OR using powershell
6. We can run the following on the SharePoint Management Shell
$tj=Get-SPTimerJob |?{$_.name -eq "RefreshMetadataaFeed}
$tj.RunNow()
T. SSL, Outbound, Encryption and Farm certificates should be present in all WFM, App and workflow manager Servers(trusted, personal and Intermediate)
U. Verify Workflow Manager client CU4 installed in all SharePoint servers(Webapp front end, Application servers, workflow manager servers).
V. Browser the Endpoint of WFM.
W. You can create a New Test workflow using SharePoint Designer.
0 Comments