![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 84%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | SharePoint Server | For business
A family of Microsoft on-premises document management and storage systems.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 19%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hi Von Mastein Jr,
Thank you for providing those specific details.
Workflows stuck in the "Starting" state, accompanied by "OAuth token validation" and "workflow host communication" warnings in ULS, typically indicate a breakdown in the trust relationship between SharePoint and the Workflow Manager (WFM) farm.
Since this occurred after "farm changes", it is highly likely that the Secure-to-Secure (S2S) trust or the certificate thumbprint metadata has become stale or invalid.
I regret to inform you that this is a user-to-user support forum. Moderators, contributors, and external Microsoft employees participating here do not have access to backend systems as well as a dedicated environment to reproduce your issue. Therefore, the following steps are searched and compiled by me from reported issues, requests, or ideas from the community or official documents:
1. Check for Expired Workflow Manager Certificates
Auto-generated WFM certificates typically expire after 5 years. If your farm reaches this age, the trust will break silently.
- On the Workflow Manager server, run:
Get-WFAutoGeneratedCA | Select NotAfter - If it has expired, you must regenerate the certificates and re-import the new Root CA to the SharePoint farm's Trusted Root store.
2. Verify Workflow Service Application Connectivity
- In Central Administration > Manage Service Applications, select the Workflow Service Application Proxy.
- Confirm it displays "Workflow is Connected". If it shows "Not Connected," the pairing has been lost.
3. Refresh Security Token Metadata
Oftentimes, SharePoint simply has old certificate data in its cache.
- In Central Administration > Monitoring > Review Timer Jobs, search for and run the "Refresh Trusted Security Token Services Metadata feed" job immediately.
- This job updates the thumbprints used to validate tokens.
4. Re-pair the Workflow Service
If the above steps fail, you may need to force a re-registration using the SharePoint Management Shell:
Register-SPWorkflowService -SPSite "https://your-site-url" -WorkflowHostUri "https://wfm-server:12290" -AllowOAuthHttp -Force
(Note: Only use -AllowOAuthHttp if your WFM is configured over HTTP)
I hope this helps you narrow down the cause.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.