Workflow Manager 403 Forbidden – Local Admin Group Woes

​A​fter the configuration of the workflow manager you may try and hit the service descriptor and receive a 403 forbidden error.

This is caused by the AdminGroup being left as the default BUILTIN\Administrators. To test this if your account is a local admin (or you run IE with elevated privileges) you should be able to render the page, but any other account fails.

This is because the request is trying to be elevated using local admin privileges from a non-privileged​ account and is being blocked.

Using the following commands lets you can view the AdminGroup

$Farm = Get-WFfarm


Looking at the, it appears that the definitions for the property it appears to have a get and a set – intimating that it can be changed, but unfortunately the farm itself does not have an update property so any changes made will not stick. The only way to I’ve found to rectify this so far is to:

  • Rip down the farm (remove host from farm and delete the 6 dbs, 3 SB and 3 WF)
  • Make sure the workflow service account is a local administrator
  • Create a Workflow Farm Managers group
  • Install Workflow Manager again, this time making sure the Admin Group is set to the Workflow Managers group

One other point of caution – after adding the permissions I often find it pertinent to reboot to ensure they are picked up correctly.

If anyone out there has found a way to alter the AdminGroup via powershell, then please let me know – I’ll be all ears 🙂

Sundown Solutions hold ISO27001:2013 (ISMS) and ISO9001:2015(QMS) and as such both form our internal business management system which are governed by our ISO certification partners QEC UK.

We have a full supplier and partner on-boarding process which ensures external interested parties that operate with us or on our behalf are bound to work within the standards of our certification.

Our certificates and our 27001 statement of applicability are available upon request.

%d bloggers like this: