Category Archives: K2

How To: Re-configure your K2 environment to use forms authentication

This blog post is just a short walk-through explaining how to switch your K2 environment from Windows to Forms authentication. Just to provide you an example of when you may want this – you can use this configuration when you want to get password prompt on token expiration while all your forms users working from domain joined workstations belonging to K2 server domain (that means that STS token refresh will be happening without any extra password prompts using existing Windows user credentials to obtain STS token).

Required steps are described in K2 documentation (look under “Forms Authentication”) but at the moment it does not mention some required steps which we will cover here.

To switch over to Forms Authentication you first need to navigate to K2 Management > Authentication > Claims > Issuers section of K2 Management site:

K2 Management – Issuers

There you can select K2 Forms STS and Click Edit button to enable “Use for Login” option of this issuer:

K2 Management – Edit K2 Forms STS issuer

Once you enabled this option, switch over to Authentication > Claims > Realms:

K2 Management – Realms

Here you need to edit every realm and link K2 Forms STS issuers to it (depending on your needs you can do that only for some realms):

K2 Management – Edit Issuer

Once you do that your realms should have K2 Forms STS visible in LINKED ISSUERS column:

K2 Management – Linked Issuers Column

At this point if you restart your browser and try to access K2 sites you will be presented with login method selection which looks as follows:

K2 Login Method Selection

If you don’t like this dialog or do not need to use multiple logon methods just uncheck
“Use for Login” option for K2 Windows STS issuer, with such configuration you will be getting immediate form authentication prompt on attempt to access K2 site (and after K2 STS token expiration). This is how it looks like:

K2 Forms Authentication Logon Page

Up to now we were following steps from K2 documentation and completed them but if you try to login with correct credentials you may see the following error:

Server Error – Claim mapping configuration cannot be found for this claim

Error message has the following text:

Server Error
Claim mapping configuration cannot be found for this claim. Claim information: Name='DENALLIX\administrator', Issuer='FormsSTS', Original Issuer='FormsSTS'. Please ensure that you have configured the K2 server as specified in K2 Help: Installation and Configuration > Configuration > SharePoint > Claims-based Authentication.
More Details
at SourceCode.Hosting.Server.Runtime.HostSecurityManager.GetClaimsUserName(String tokenXml, ClaimsTokenType tokenType, ClaimsVersion claimsVersion)
at SourceCode.Hosting.Server.Runtime.HostSecurityManager.AuthenticateIIdentitySession(String sessionCookie, String tokenXml, ClaimsTokenType tokenType, String connectionString, String authReqSource, ClaimsVersion claimsVersion)

This error and corrective actions to it do not mentioned in product documentation. To fix this you have to do the following:

1. Edit K2TokenService.exe.config located in “%K2_INSTALLATION_ROOT%\Token Service\Bin\” adding your K2 service and K2 application pool accounts into allowedCallers section as shown below:

K2TokenService.exe.config – allowedCallers

Here is sample of allowedCallers section text:

<allowedCallers>

  <clear />

  <add value=”denallix\k2webservice” />

  <add value=”denallix\k2service” />

</allowedCallers>

2. Save your changes and restart K2 Claims To Windows Token Service aka K2WTS (you can use PoSh command for that – Restart-Service K2WTS).

After performing these steps you will be able to logon to K2 sites using forms authentication.

Please follow and like us:
0

K2 – no task notifications processing due to “Unable to load EventBus Server” error

K2 versions older than Five rely on MSMQ for task notification emails queuing and processing. Sometimes you may see the following scenario:

You start process which supposed to send task notification. Notification not delivered and there is no error messages logged nor in K2 host server log, MSMQ diagnostic log nor in Eventbus.ClientRecorderError table logged at the time of task assignment. Obviously process does not go into error state as notification delivery performed on “best possible effort” principle and not preventing user from completing assigned task using his worklist which can be exposed through different UIs.
At the same time it is possible to see that queue exist and messages gets queued into it (Computer Management snap-in > Services and Applications > Message Queuing > Eventbus > Queue Messages:

If it is not highly loaded production environment you will be able to see that message gets queued per each client event, and you can also see that Message ID gets assigned with increment of 2, with new messages being added to the end of the queue. At this stage you may think that Message Queuing may not run – but this is unlikely as when this service stopped message cannot be placed into queue (that definitely will be logged on K2 side) and you unable to view Queue contents in computer management with the following error:

Other possibility is somehow malformed error message and some glitch in MSMQ service itself – again a bit unlikely as new messages gets queued just fine, but you can try Message Service restart along with removing topmost message from the queue. If that does not help (which most likely will be the case), check the very beginning of your latest K2 host server log (defalut location – “C:\Program Files (x86)\K2 blackpearl\Host Server\Bin”), to verify if it contains the following errors:

In case very beginning of your log contains these error messages:

  • “7030 Unable to create ‘dlx\EventBus’ queue : ‘Message Queue service is not available.'”
  • “7030 Unable to create ‘dlx\EventBus Error’ queue : ‘Message Queue service is not available.'”
  • “EventQueueProcessing.Main”,”7026 Unable to load EventBus Server”

This means that Message Queuing service on K2 server was not running at the time of K2 server start.

To resolve this make sure that Message Queuing service is up and running and restart K2 service – unfortunately there is no other way to reinitialize MSMQ processing thread which gets initialized on K2 service startup.

You may run into this situation after server reboot if K2 service started before Message Queuing service. To prevent this situation from happening you may want to configure K2 service startup to Automatic (Delayed Start) while keeping Message Queuing configured for Automatic start – that will add some delay to K2 service startup as it only will be attempted after all other services configured for Automatic startup will be started, but honestly I don’t see any problem with that – server reboot translates into downtime in any case and slight delay does not make any big difference here. Another, and possible more “fine grained” option to address this is to configure dependency on MSMQ service for K2. To do that run CMD windows in elevated mode and execute the following command:

sc config “K2 blackpearl Server” depend= MSMQ

After successful execution of this command the following dependency for K2 service gets created:

As per MSFT documentation this setting ensures than on machine startup services listed as dependencies are started before attempting to start service which depends on them.

Please follow and like us:
0

Start multiple workflow instances with PowerShell

You can find sample PowerShell script for starting multiple process instances in K2 Developer Reference, below you can find just slightly modified version which I am normally using. I’ve only added some variables to specify desired number of instances, project and workflow name along with folio value.

Please follow and like us:
0

Unable to add/remove K2 Environment Fields – “You are not authorized to perform the requested operation”

In certain scenarios (for example, when you changed your K2 administrative accounts) you may see the following error when trying to add or remove Environment Field in Environment Library:

You are not authorized to perform the requested operation

This may happen even for user which has been assigned K2 Administrator role in Setup Manager when custom security was configured on Environment Library and it didn’t include this specific account.

To resolve this (providing you have account with administrative rights) just look into Security settings available under list of variables themselves when you navigate to Environment Library > %Environment Library Name%:

Environment Variable Security Settings

Just add required user assigning him Modify rights to resolve this issue.

Please follow and like us:
0

K2 Mobile Applications – Updated landing page

It used to be somewhat confusing with two mobile apps (K2 Workspace and K2 Mobile) for two platforms (iOS and Android), but recently updated K2 Mobile Applications help landing page makes things clear right off the bat making it easy for you to navigate to the right information:

K2 Mobile Applications Documentation Landing Page – App Version and Platform selection

There is also couple of useful links on the bottom of new landing page, namely Distributing K2 Mobile Application with MDM and K2 Mobile Support Policy:


K2 Mobile Applications Documentation Landing Page – Additional Resources

Really good job on K2 documentation team side 🙂 I really see that product documentation becomes better and easier to use.

Please follow and like us:
0