SharePoint Designer workflow approval task is stuck "In Progress"

Symptoms

Consider the following scenario:

SharePoint Designer workflow includes a Start Approval Process Task. When the workflow runs, the notification email is sent to the Approver. Some approvers try to approve the tasks after a few days. Randomly, the tasks get stuck in an "in progress" state and workflow hangs.

Workflow Tracing Log has the following entry:

Subscription handler of Activity ID4 threw System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl...., Int32& puiVersion, Int16& pnClientTag)
   at Microsoft.SharePoint.SPWeb.InitWeb()
   at Microsoft.SharePoint.SPWeb.get_Title()
   at Microsoft.SharePoint.SPSite.OpenWeb(Guid gWebId, Int32 mondoHint)
   at Microsoft.SharePoint.Workflow.SPWinOEWSSService.GetWebForWorkflow(SPWorkflow wf, SPWorkflowUserContext runAsUser)
   at Microsoft.SharePoint.Workflow.SPWinOEWSSService.get_Web()
   at Microsoft.SharePoint.WorkflowActions.WorkflowContext.get_Web()
   at Microsoft.Office.Workflow.Actions.OfficeTask.get_WebFields()
   at Microsoft.Office.Workflow.Actions.OfficeTask.StaticNameFromFieldId(Guid fieldId)
   at Microsoft.Office.Workflow.Actions.OfficeTask.CloneWithFieldsAvailableByInternalName(Hashtable htOrig, Hashtable htDest)
   at Microsoft.Office.Workflow.Actions.OfficeTask.HandleTimerSubscriptionChange(ActivityExecutionContext context, OneTaskProperties currentTask)
   at Microsoft.Office.Workflow.Actions.OfficeTask.System.Workflow.ComponentModel.IActivityEventListener<System.Workflow.ComponentModel.QueueEventArgs>.OnEvent(Object sender, QueueEventArgs qea)
   at System.Workflow.ComponentModel.ActivityExecutorDelegateInfo`1.ActivityExecutorDelegateOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)

ULS log may have following entries:

OWSTIMER.EXE (0x2268) 0x1BB0 SharePoint Foundation General 72nz Medium Videntityinfo::isFreshToken reported failure. a81a47e3-75eb-437c-991d-b0c89a84a525
OWSTIMER.EXE (0x2268) 0x1BB0 SharePoint Foundation General 8xfr Verbose PermissionMask check failed. asking for 0x00000001, have 0x00000000 a81a47e3-75eb-437c-991d-b0c89a84a525

Cause

There are two domains involved with the SharePoint Farm. One is a Resource domain and another is the User domain. The SharePoint farm is in the Resource domain and the users are in the User domain. There is a one-way trust from Resource domain to User domain. User Accounts from the User domain are members of Security Group (SG). Permissions are set inside the SharePoint site collections by using the security group.

SharePoint stores the User-Token in a SQL table and some services will check that token before contacting a Domain Controller again. The default timeout for this token is 24 hours. After 24 hours, when the token expires, interactive logon creates a fresh right-token in the SQL table. The scheduled workflow task is picked up by OWSTimer job, and at that time, OWSTimer tries to update the User-Token. If OWSTimer Service account is from Resource Domain, it cannot retrieve the membership in the User Domain. The User-Token turns invalid and the workflow task fails to execute because the invalid User-Token triggers an 'Access Denied' error.

Resolution

Method 1:

Change the OWSTimer service account to be an account in the User Domain.

Method 2:
  1. Author the workflow as an user, who is assigned permission explicitly instead of through AD groups.
  2. Use Impersonation step to wrap all workflow actions.
Properties

Article ID: 2843542 - Last Review: Jun 4, 2014 - Revision: 1

Feedback