Share via

SharePoint Workflow Manager: Can't instantiate WindowsIdentity for user <name>''</name> and authentication type ''.

Jesús Libreros 0 Reputation points
2026-04-13T23:08:35.2533333+00:00

Hello everyone, I kindly ask for your help, please, as I am integrating SharePoint 2019 with SharePoint Workflow Manager. When I try to run a workflow, I encounter the following errors.

<PII removed>

Microsoft 365 and Office | SharePoint Server | Development
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teddie-D 16,370 Reputation points Microsoft External Staff Moderator
    2026-04-14T00:30:37.5533333+00:00

    Hi @Jesús Libreros 

    Since this is a public platform, I’ve moved the detailed logs to a private message to avoid exposing any personal or organizational information. Please refer to the private message for those details.  

    Please note that this is a peer-to-peer support forum. Moderators, contributors, and external Microsoft employees here do not have access to back‑end systems or diagnostic tools, so we cannot collect logs or perform a full investigation of your environment. Our role is limited to sharing technical guidance and best practices based on publicly available documentation and personal experience.

    While reviewing the ULS logs, you may see entries such as: Can't instantiate WindowsIdentity for user <name>''</name> and authentication type ''.

    At first glance, this can appear to be the root cause of a workflow issue. However, this message is generated earlier in the SharePoint authentication pipeline, before the request has a standard Windows‑authenticated user context. In workflow scenarios, Workflow Manager communicates with SharePoint using OAuth, not Windows authentication. Because of this, the request may legitimately lack a Windows identity at that stage, and the log entry is simply informational.  

    The actual authentication issue occurs later in the same request, where SharePoint attempts to validate the OAuth actor token issued by Workflow Manager and throws the following exception: The actor token's outernameid claim is null or whitespace

    This indicates that although SharePoint successfully received and parsed the OAuth token, actor token validation failed during identity resolution.  

    Based on the OAuth token claims present in the ULS logs, the environment appears to be using SharePoint Workflow Manager (SPWFM) rather than Classic Workflow Manager.  

    However, beginning with the September 2025 SharePoint update, SharePoint requires a compatible patch level of SharePoint Workflow Manager (SPWFM) and matching SPWFM client components installed on all SharePoint servers. 

    If either the farm or client components are not updated to at least the August 2025 CU or later, OAuth actor token validation can fail during workflow execution. 

    You can read more at Trending Issue: Classic Workflow Manager Workflows fail after September 2025 CU for SharePoint – St… 

    This information is provided as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.   

    As a next step, please verify that: 

    -Ensure the SharePoint Workflow Manager farm is updated to the latest supported CU. 

    -Confirm the SPWFM client update is installed on all SharePoint servers in the farm. 

    I hope this helps point you in the right direction. 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  2. AI answer

    2026-04-13T23:09:05.6266667+00:00

    The error indicates an authentication/authorization problem between SharePoint 2019 and Workflow Manager when the workflow runs. In similar SharePoint–Workflow Manager integrations, workflows fail when Workflow Manager’s IIS authentication configuration or app principal configuration is incorrect.

    Based on the provided context, focus on these areas:

    1. Verify IIS authentication on the Workflow Manager server
      • On the Workflow Manager server, open IIS Manager.
      • Locate the Workflow Management Site.
      • Open Authentication for this site.
      • Ensure Anonymous Authentication is Enabled.
      • Ensure Windows Authentication is Enabled.
      • If Anonymous Authentication is disabled, enable it and test the workflow again.
      • This configuration is required because SharePoint–WFM communication uses OAuth over Windows claims, and disabling Anonymous on the WFM site causes authentication failures and 401 responses when publishing or running workflows.
    2. Confirm Workflow Manager prerequisites and configuration
      • Ensure Workflow Manager is installed on a supported configuration (odd number of hosts: 1, 3, or 5) and that the Web Server (IIS) role is installed with:
        • Windows Authentication
        • .NET Extensibility 4.7
        • ASP.NET 4.7
      • Verify that an RWDC (read/write domain controller) is available (not only RODCs), and that Azure Service Fabric Runtime (minimum supported version 9.1.1583.9590) is installed and configured before Workflow Manager setup.
    3. Check for known post‑update authorization issues
      • If this issue started after applying recent SharePoint 2019 CUs or security updates, review current guidance on “problems with workflows after applying CU” and confirm that any required authorization fixes have been applied (for example, re-registering Workflow Manager or updating app permissions as described in current troubleshooting articles).
    4. Validate scopes and app principal configuration (if workflows fail only on some sites)
      • If some workflows run and others fail, or if the issue appeared after reconnecting to an existing Workflow Manager farm or after upgrade/migration, check for mismatched SPAuthenticationRealm in Workflow Manager scopes:
        • Use the documented SQL query against WFResourceManagementDB.dbo.Scopes to locate the scope for the affected SPWeb.
        • Inspect the ApplicationId in the SecuritySettings XML and confirm it matches <SPWebID>@<SPAuthenticationRealm> for the current farm.
        • If the SPAuthenticationRealm is wrong, follow the documented PowerShell procedure to register a new SPAppPrincipal for that SPWeb so that the ApplicationId in Workflow Manager matches a valid app principal.
      • Also consider republishing the workflows from the affected site using SharePoint Designer, and/or running the Refresh Trusted Security Token Services Metadata feed timer job if workflows do not start on some sites.
    5. Use tracing tools to confirm the failure point
      • Use Fiddler (as a proxy) between SharePoint and Workflow Manager to inspect calls when publishing or starting the workflow:
        • Look for HTTP/1.1 401 Unauthorized responses from the Workflow Manager endpoint.
        • In a healthy configuration, scope update calls return HTTP/1.1 201 Created.
      • If 401s are seen and the request does not reach Workflow Manager internals (as shown by ETL traces), this further confirms an IIS authentication issue on the Workflow Management Site.

    After enabling Anonymous and Windows Authentication on the Workflow Management Site, confirming Workflow Manager prerequisites, and ensuring the scopes’ ApplicationId/SPAuthenticationRealm mapping is correct, test the workflow again. If it still fails, republish the workflow from SharePoint Designer and check ULS logs for entries such as “Cannot get app principal permission information” to determine whether additional app principal registration steps are required.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.