Issue
After a .NET Security Update, Nintex Workflows no longer publish, are stuck 'In Progress', or fail to run.
Note: This is an error in SharePoint itself and this will also impact your SharePoint Designer workflows.
Note: This is an error in SharePoint itself and this will also impact your SharePoint Designer workflows.
Resolution
Run the following PowerShell scripts (link below) on a server within your SharePoint farm to add the authorizedtype entries.
Process overview:
1. Refer to the following link to access the two PowerShell scripts: Add-CodeDomAuthorizedType on GitHub
2. Modify both PowerShell scripts to add -IncludeNintexWorkflow where the function is called (near the end of each script). For example:
Add-CodeDomAuthorizedType.ps1: Add-CodeDomAuthorizedType -Verbose -IncludeNintexWorkflow
Add-CodeDomAuthorizedTypeToOWSTimerConfig.ps1: Add-CodeDomAuthorizedTypeToOWSTimerConfig -ComputerName $serverNames -Verbose -IncludeNintexWorkflow
3. Run each script as an Administrator. You can do this in PowerShell, PowerShell ISE or SharePoint Management Shell.
4. Test your workflows.
Note: If you face any issues with the script, please reach out to Microsoft Support.
Process overview:
1. Refer to the following link to access the two PowerShell scripts: Add-CodeDomAuthorizedType on GitHub
2. Modify both PowerShell scripts to add -IncludeNintexWorkflow where the function is called (near the end of each script). For example:
Add-CodeDomAuthorizedType.ps1: Add-CodeDomAuthorizedType -Verbose -IncludeNintexWorkflow
Add-CodeDomAuthorizedTypeToOWSTimerConfig.ps1: Add-CodeDomAuthorizedTypeToOWSTimerConfig -ComputerName $serverNames -Verbose -IncludeNintexWorkflow
3. Run each script as an Administrator. You can do this in PowerShell, PowerShell ISE or SharePoint Management Shell.
4. Test your workflows.
Note: If you face any issues with the script, please reach out to Microsoft Support.
Error Code
There are variations of the errors that occur, but the common line in regard to this issue is as follows:
Additional Information
After any of the September 2018 .NET Framework security updates to resolve CVE-2018-8421 (.NET Framework Remote Code Execution Vulnerability) are applied, SharePoint out-of-the-box workflows stop working.
This issue can also occur following SharePoint Cumulative Updates (CU) after November 2018; this and subsequent CU's attempt to counter this issue by adding authorizedtype entries in the appropriate files, but in some cases, can result in the CodeTypeReferenceExpression authorizedtype entry to be removed, surfacing the issue again. The above solution would need to be applied again.
Add-CodeDomAuthorizedType.ps1 and Add-CodeDomAuthorizedTypeToOWSTimerConfig.ps1 add the authorizedtype entries to the web.config and OWSTimer.exe.config files across your farm respectively.
In rare cases, running the following has been necessary in applying the solution successfully:
$webapp = Get-SPWebApplication -identity http://<web app name>
$webapp.UpdateWorkflowConfigurationSettings()
For SharePoint 2010 Farms: Relevant entries will be included in the scripts in addition to the CodeDom authorizedtype entries. Please note that these scripts have been updated over time and may include entries that were not included before.
This issue can also occur following SharePoint Cumulative Updates (CU) after November 2018; this and subsequent CU's attempt to counter this issue by adding authorizedtype entries in the appropriate files, but in some cases, can result in the CodeTypeReferenceExpression authorizedtype entry to be removed, surfacing the issue again. The above solution would need to be applied again.
Add-CodeDomAuthorizedType.ps1 and Add-CodeDomAuthorizedTypeToOWSTimerConfig.ps1 add the authorizedtype entries to the web.config and OWSTimer.exe.config files across your farm respectively.
In rare cases, running the following has been necessary in applying the solution successfully:
$webapp = Get-SPWebApplication -identity http://<web app name>
$webapp.UpdateWorkflowConfigurationSettings()
For SharePoint 2010 Farms: Relevant entries will be included in the scripts in addition to the CodeDom authorizedtype entries. Please note that these scripts have been updated over time and may include entries that were not included before.
Related Links
Microsoft Blog Post: https://blogs.msdn.microsoft.com/rodneyviana/2018/09/13/after-installing-net-security-patches-to-address-cve-2018-8421-sharepoint-workflows-stop-working/
Microsoft Knowledge Base Article: https://support.microsoft.com/en-us/help/4465015/sharepoint-workflows-stop-after-cve-2018-8421-security-update