Sharepoint Workflow POST web request with anonymous enabled

  • 5 July 2023
  • 5 replies

Badge +1


I have a Sharepoint 2016 application that is using Nintex workflows and forms. Recently I had to enable anonymous access in the web app. When anonymous is enabled at site collection level (list and libraries) the Nintex workflows that I have seem to run using the anonymous user permissions because I get:

 - 403 unauthorized on POST requests( if “Require Use Remote Interfaces permission” is checked)

 - 404 not found even in GET requests (if “Require Use Remote Interfaces permission” is unchecked)

In my workflow web request which I did not get before.

For every web request I have credentials set as the Service account which should have all the necessary permissions but for some reason it seems like Nintex bypasses that and runs under a least privileged user.

Any idea why this is happening? I tried various solutions but I cannot seem to get Nintex to run with elevated privileges once Anonymous is enabled at site collection level and I am getting really desperate.



Best answer by stefanh 6 July 2023, 16:42

View original

5 replies

Badge +1

To give more context: It is a workflow that runs on item creation/modified, and should copy the attachment file from this item to a different doc library. The web requests calls that I have and fail are: 

  • _api/web/GetFileByServerRelativeUrl - fails with 404 not found when “Require Use Remote Interfaces permission” is unchecked but if “Require Use Remote Interfaces permission” is checked it returns 200 and it works fine
  • _api/web/GetFileById('GUID')/copyto(strnewurl='relativeUrlForDifferentList',boverwrite=true) - fails with 403 when “Require Use Remote Interfaces permission” is checked

Before those calls that fail I also have other web request calls in the workflow that work correctly like: 

  • /_api/lists(guid'a3df637d-e6f5-416c-b803-e7c1af0e247e')/Items(3404)/AttachmentFiles - to get the attachment from current list item
  • /_api/Web/GetFolderByServerRelativeUrl('relativeUrlForFolderInList')
Badge +1

Further debugging shows that the 403 error message actually is “The security validation for this page is invalid.Click Back in your Web browser, refresh the page, and try your operation again”.

The formdigest is present in the request and it stills throws this error so I really do not know why this is happening. What is the difference when anonymous is enabled in the site collection? 

Capture form nintex verbose logging


Userlevel 5
Badge +14

if you were to wrap the entire workflow in an Action Set and then use the Run as workflow Owner option, does that help anything? 





you’d still have to do some extra work to capture *who* is running the workflow but I just wanna see if this would at least solve the status issue 

Badge +1

I already tried this with no luck. I also initiated the workflow with the administrator account that is also the sp farm admin with same results.

Badge +1

I managed to resolve the issue by adding the following header to the form digest web request call: “X-RequestForceAuthentication” : “true”.



Hopefully this will help also others facing this issue.