After the configuration of the workflow manager you may try and hit the service descriptor and receive a 403 forbidden error.
This is caused by the AdminGroup being left as the default BUILTIN\Administrators. To test this if your account is a local admin (or you run IE with elevated privileges) you should be able to render the page, but any other account fails.
This is because the request is trying to be elevated using local admin privileges from a non-privileged account and is being blocked.
Using the following commands lets you can view the AdminGroup
$Farm = Get-WFfarm
Looking at the, it appears that the definitions for the property it appears to have a get and a set – intimating that it can be changed, but unfortunately the farm itself does not have an update property so any changes made will not stick. The only way to I’ve found to rectify this so far is to:
- Rip down the farm (remove host from farm and delete the 6 dbs, 3 SB and 3 WF)
- Make sure the workflow service account is a local administrator
- Create a Workflow Farm Managers group
- Install Workflow Manager again, this time making sure the Admin Group is set to the Workflow Managers group
One other point of caution – after adding the permissions I often find it pertinent to reboot to ensure they are picked up correctly.
If anyone out there has found a way to alter the AdminGroup via powershell, then please let me know – I’ll be all ears 🙂