Once in a while you can bump into a warning from K2 Setup Manager which says: “The selected user needs to have Domain Users privileges to proceed” on K2 Site Application Pool Configuration which looks as shown below:
I was not able to confirm what exactly triggers this, but I do know that it happens while specified user in fact has Domain User group membership and I saw it with both K2 4.6.x and K2 Five installers. Good news that bypass this blocking warning is easy – you just need to edit Product.config file in your installation directory and set domainusercheck value to false as shown below:
You will need to restart K2 Setup Manager after saving this change and you should be able to proceed without receiving any any warnings.
The other day I’ve been doing installation of K2 4.7 on standalone (i.e. non-joined to domain) Windows Server 2016 machine with SQL Server installed locally on the same box, and bump into MSDT Network Access analysis result failure, receiving error shown below:
That’s quite a standard warning which explicitly says you what kind of check boxes you need to tick in Local DTC Properties (be sure to use comexp.msc or dcomcfg commands to open Component Services snap-in). K2 Setup Manager will explicitly tell you what checkbox is not set as shown on sample screenshot below:
But if you look at the first screenshot – there is no incorrectly configured settings, and I was pretty sure that I know these settings quite well, having couple of old posts on the topic (see #1, #2). So I was a bit baffled by this warning. After consulting related K2 documentation section I realized that it also indicates that it is necessary to configure relevant firewall rules :
Enable and Configure the DTC Components
Configure firewall to allow MSDTC access with the following command:
Configure firewall to allow SQL Server access with the following command: netsh advfirewall firewall add rule name=”MSSQLSERVER” dir=in action=allow program=”C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\Sqlservr.exe” enable=yes
These firewall settings must be activated on SQL server in order for MSDTC to work:
Despite in my case SQL and K2 servers very hosted on the side machine I tried to add required firewall settings – and, somewhat naturally, it didn’t resolve the error. So it took me searching a bit more till I found relevant MSFT documentation (New functionality in the Distributed Transaction Coordinator service in Windows) which clarifies that “No Authentication Required” option must be used in the following scenarios:
The network access is between computers that are running Microsoft Windows 2000.
The network access is between two domains that do not have a mutual trust configured.
The network access is between computers that are members of a workgroup.
As you can understand having both SQL and K2 on the same server in workgroup mode translates into “network” access is between computers that are members of a workgroup. So to resolve K2 setup manager warning in this scenario it is necessary to tick “No Authentication Required” option in Local DTC Propertis:
I do realize that installation on a member server not joined to domain is not the most frequent scenario (although it is if you install K2 on cloud servers non-joined to domains), it is sad that K2 installer does not report what kind of setting is necessary in the workgroup mode scenario – that goes into nice to have list of additional checks, but until it’s not there you have this post 🙂
Starting from K2 Five 5.1 ability to use SmO methods to populate/determine Role membership was removed and installer will block your upgrade process displaying the following error message:
Error message lists all roles which contain SmartObjects which have to be removed before you can proceed with upgrade (no installer restart required after removal) – this is clear and easy thing to do, and it is documented in KB002145. But in my case my upgrade to 5.2 was complicated by some other fascinating errors and hiccups, I’ll just list them: 5.2 installer was failing to start with unhandled exception (for some reason it didn’t want to work from non system drive / drive which was different from K2 installation drive), it was saying that my installation user does not have required rights (until run using K2 service account), in addition to that all UIs were broken with Invalid Archive type error.
The fact that UIs were broken yet I wanted to move on with upgrade (remove roles) required me to remove SmO from role(s) through the database modification, luckily in this case role membership entries are stored in quite plain and easily readable table – Identity.RoleItem where you can clearly see SmartObject name in FQN column (clearly differs from your regular users and groups in FQN form) with Type 4. To remove SmO from role you just remove entire line from that table, the only thing I would to add: make it your habit to backup K2 DB before you touch it, even if you are super-sure that you know what are you doing 🙂
I hope this information may save some one some time if you run into similar scenario and that’s it for now.
This blog post is just a short
walk-through explaining how to switch your K2 environment from Windows to Forms
authentication. Just to provide you an example of when you may want this – you
can use this configuration when you want to get password prompt on token
expiration while all your forms users working from domain joined workstations
belonging to K2 server domain (that means that STS token refresh will be
happening without any extra password prompts using existing Windows user
credentials to obtain STS token).
Required steps are described in K2 documentation (look under “Forms
Authentication”) but at the moment it does not mention some required steps
which we will cover here.
To switch over to Forms
Authentication you first need to navigate to K2 Management > Authentication
> Claims > Issuers section of K2 Management site:
There you can select K2 Forms STS and Click Edit button to enable “Use for Login” option of this issuer:
Once you enabled this option, switch
over to Authentication > Claims > Realms:
Here you need to edit every realm
and link K2 Forms STS issuers to it (depending on your needs you can do that
only for some realms):
Once you do that your realms should
have K2 Forms STS visible in LINKED ISSUERS column:
At this point if you restart your
browser and try to access K2 sites you will be presented with login method
selection which looks as follows:
If you don’t like this dialog or do
not need to use multiple logon methods just uncheck
“Use for Login” option for K2 Windows STS issuer, with such
configuration you will be getting immediate form authentication prompt on
attempt to access K2 site (and after K2 STS token expiration). This is how it
Up to now we were following steps
from K2 documentation and completed them but if you try to login with correct
credentials you may see the following error:
Error message has the following
Claim mapping configuration cannot be found for this claim. Claim information:
Name='DENALLIX\administrator', Issuer='FormsSTS', Original Issuer='FormsSTS'.
Please ensure that you have configured the K2 server as specified in K2 Help:
Installation and Configuration > Configuration > SharePoint >
tokenXml, ClaimsTokenType tokenType, ClaimsVersion claimsVersion)
sessionCookie, String tokenXml, ClaimsTokenType tokenType, String
connectionString, String authReqSource, ClaimsVersion claimsVersion)
This error and corrective actions to
it do not mentioned in product documentation. To fix this you have to do the
1. Edit K2TokenService.exe.config
located in “%K2_INSTALLATION_ROOT%\Token Service\Bin\” adding your K2
service and K2 application pool accounts into allowedCallers section as
Here is sample of allowedCallers section
2. Save your changes and restart K2
Claims To Windows Token Service aka K2WTS (you can use PoSh command for that –
After performing these steps you
will be able to logon to K2 sites using forms authentication.
K2 versions older than Five rely on MSMQ for task notification emails queuing and processing. Sometimes you may see the following scenario:
You start process which supposed to send task notification. Notification not delivered and there is no error messages logged nor in K2 host server log, MSMQ diagnostic log nor in Eventbus.ClientRecorderError table logged at the time of task assignment. Obviously process does not go into error state as notification delivery performed on “best possible effort” principle and not preventing user from completing assigned task using his worklist which can be exposed through different UIs. At the same time it is possible to see that queue exist and messages gets queued into it (Computer Management snap-in > Services and Applications > Message Queuing > Eventbus > Queue Messages:
If it is not highly loaded production environment you will be able to see that message gets queued per each client event, and you can also see that Message ID gets assigned with increment of 2, with new messages being added to the end of the queue. At this stage you may think that Message Queuing may not run – but this is unlikely as when this service stopped message cannot be placed into queue (that definitely will be logged on K2 side) and you unable to view Queue contents in computer management with the following error:
Other possibility is somehow malformed error message and some glitch in MSMQ service itself – again a bit unlikely as new messages gets queued just fine, but you can try Message Service restart along with removing topmost message from the queue. If that does not help (which most likely will be the case), check the very beginning of your latest K2 host server log (defalut location – “C:\Program Files (x86)\K2 blackpearl\Host Server\Bin”), to verify if it contains the following errors:
In case very beginning of your log contains these error messages:
“7030 Unable to create ‘dlx\EventBus’ queue : ‘Message Queue service is not available.'”
“7030 Unable to create ‘dlx\EventBus Error’ queue : ‘Message Queue service is not available.'”
“EventQueueProcessing.Main”,”7026 Unable to load EventBus Server”
This means that Message Queuing service on K2 server was not running at the time of K2 server start.
To resolve this make sure that Message Queuing service is up and running and restart K2 service – unfortunately there is no other way to reinitialize MSMQ processing thread which gets initialized on K2 service startup.
You may run into this situation after server reboot if K2 service started before Message Queuing service. To prevent this situation from happening you may want to configure K2 service startup to Automatic (Delayed Start) while keeping Message Queuing configured for Automatic start – that will add some delay to K2 service startup as it only will be attempted after all other services configured for Automatic startup will be started, but honestly I don’t see any problem with that – server reboot translates into downtime in any case and slight delay does not make any big difference here. Another, and possible more “fine grained” option to address this is to configure dependency on MSMQ service for K2. To do that run CMD windows in elevated mode and execute the following command:
sc config “K2 blackpearl Server” depend= MSMQ
After successful execution of this command the following dependency for K2 service gets created:
As per MSFT documentation this setting ensures than on machine startup services listed as dependencies are started before attempting to start service which depends on them.