SharePoint 2013 Workflow Suspended — User Profile Service Authentication

Question

I have an on-site custom installation of SharePoint Server 2013 and I'm looking to integrate the SharePoint Workflow Manager component into my current farm. For context, there are two servers in the farm -- one runs the instance of SQL Server 2012 for the farm and other has SharePoint Server 2013, as well as Project Server 2013 installed; this is the server where I am installing and configuring the workflow manager.

I have followed the instructions from the video series linked here from Microsoft through my configuration, as well as other MSDN documentation. I am using HTTPS for the communication between the workflow farm and the SharePoint farm (the workflow farm will be on its own dedicated server in production), but I am not using SSL for SQL Server.

I have followed the instructions throughout this video series, including creating a sample workflow using SharePoint Designer 2013. This workflow simply adds "Hello World" as a value for a list attribute. When attempting to execute the workflow, I receive the following HTTP 401 errors (once the workflow has suspended):

RequestorId: 1a1099b5-ad10-1051-0000-000000000000. Details: An unhandled exception occurred during the execution of the workflow instance. Exception details: System.ApplicationException: HTTP 401 {"error_description":"There is no identity claim mapper registered. The mapping operation is not supported."}

Below are the additional errors that are being thrown to the ULS logs: SPApplicationAuthenticationModule: Failed to build cache key for user

SPJsonWebSecurityBaseTokenHandler: ValidateActorIsSelfIssuer! Issuer '00000005-0000-0000-c000-000000000000' is not self issuer.
Mapping operations are not supported. There is no registered mapper

STS Call Claims Saml: Problem getting output claims identity. Exception: 'System.NotSupportedException: There is no identity claim mapper registered. The mapping operation is not supported.    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri contextUri, List`1 claims)    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims)    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)'.

STS Call: Failed to issue new security token. Exception: System.NotSupportedException: There is no identity claim mapper registered. The mapping operation is not supported.    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri contextUri, List`1 claims)    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims)    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)    
 at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)

SPSecurityContext: Request for security token failed with exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: There is no identity claim mapper registered. The mapping operation is not supported. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.NotSupportedException: There is no identity claim mapper registered. The mapping operation is not supported.   
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetClaimFromExternalMapper(Uri contextUri, List`1 claims)    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.ResolveUserIdentityClaim(Uri contextUri, ClaimCollection inputClaims)    
 at Microsoft.SharePoint.IdentityModel.SPIdentityClaimMapperOperations.GetIdentityClaim(Uri contextUri, ClaimCollection inputClaims, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetLogonIdentityClaim(SPRequestInfo requestInfo, IClaimsIdentity inputIdentity, IClaimsIdentity outputIdentity, SPCallingIdentityType callerType)    
 at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.EnsureSharePointClaims(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity, SPCallingId...).

An exception occurred when trying to issue security token: There is no identity claim mapper registered. The mapping operation is not supported..

I am relatively new to SharePoint Development and was wondering if anyone could shed any light on what my issue could be. Right now, I am looking at the User Profile Service and the Authentication mode used.

I have ensured that the users executing the workflow have been synchronized using the User Profile Service and that the SharePoint group that they belong to has at least the Contribute permissions (note that this is running against a Project Web Access SharePoint site).

Any insight that anyone could give would be much appreciated.

Answer 1

After seeking Microsoft Support, I determined that I needed to enable the "SharePoint Server to Server Authentication" feature inside of Central Administration.

This can be accessed by going to Central Administration --> System Settings --> Manage Farm Features. From there, the SharePoint Server to Server Authentication" feature. From there, you can click "Activate" to enable the feature.

Hopefully my experience will help someone who was stuck in a similar situation configuring SharePoint Workflow Manager 1.0 against a SharePoint 2013 farm.

Answer 2

I have not come across this error personally. With Workflow the first place I check is the UPS - which you have already done.

Some other things you can look at

• Make sure none of the accounts running the workflow have the "act as system" right assigned thru the web application policy.
• Make sure your Security Token Service is provisioned and online.
• Also check that the Distributed cache is running and healthy.