Category Archives: Uncategorized

K2 and AAD manual integration configuration – errors and solutions

Even after doing 3-5 installations which leverage manual integration between K2 and active directory I keep bumping into errors which at times take disproportionally large amount of time to decipher them and pin point that tiny/silly error in configuration settings which prevents your setup from working. So I decided to collate them all into the “symptom-solution list” and keep in one place – i.e. in this blog post.

AADSTS50011: The reply url specified in the request does not match the reply URLs configured for the application


AADSTS50011

That most likely means that Token Endpoint Reply URL is not specified in your AAD app properties. That URL should look as follows https://{K2SiteURL}/identity/token/oauth/2 and you need to make sure that it is added in your app Settings.  You do that in Azure Portal > Azure Active Directory > App Registrations > %Your_K2_App_Name% > Settings > Reply URLs. 

Add required URL and be sure to wait something like 30 seconds at least after applying this change and try logging in again.

AADSTS700016: Application with identifier ‘%APP_URL%’ was not found in the directory ‘%AZURE_DIRECTORY_ID%’

AADSTS700016

dThis error message means either mismatch between identifierUris listed in your app manifest file and URL reported in error message or absence of these URLs in app manifest. Your K2 AAD app manifest file should contain your Runtime and Designer URLs, as shown on the screenshot below:

One thing to remember here is that when you edit App ID URI from AAD app properties and put updated value there it overwrites your identifierUris list in app manifest values – it removes your Designer and Runtime URLs from there (and anything else listed there) and puts updated App ID URI value there, which will give you  AADSTS700016 error.

Claim mapping configuration cannot be found for this claim. Claim information: Name=”

This was the one I wasted hours of troubleshooting time triple-checking all my configuration and asking each and everyone to help me spot what is wrong with my set up, only to discover that I tried to perform logon with my Azure tenant admin account which was listed in AAD users list as account with “Microsoft Account” source whereas it is necessary to create a user in AAD (all of those listed in AAD Users list with “Azure Active Directory” specified in Source column). I’m not 100% sure if this problem can be better handled on K2 side to present more actionable/clear error message – one we have here nudge you into direction of checking identity claim mapping while in this scenario problem is completely different.

Unable to search against AAD label in K2 Management UI – URMService error: Unable to find AAD token. OAuth resource is null

Unable to find AAD token. OAuth resource is null.

I run into this while going through manual AAD integration configuration process and not quite sure whether I missed some step in the process, but I’ve end up in the situation when I could logon into K2 Management using AAD account, but was not able to grant any Server rights to my AAD users as search against AAD label in K2 management was throwing this error. At the same time I had cached token for K2 service account created through registration of AAD service instance in tester tool and AAD Service Instance SmartObjects in Tester Tool were working just fine.

This issue is caused by the empty value in RoleInit for AAD label, i.e it contains something like this:

<roleprovider />

while it should contain reference to OAuthResourceID , i.e. something like this:

<RoleInit><OAuthResourceID>%OAuthResourceID_GUID%</OAuthResourceID></RoleInit>

So grab your OAuthResourceID from Authorization.OAuthResource table and update AAD security label RoleInit value using this script:

https://github.com/mikerodionov/ps-scripts/blob/master/K2/Update_RoleInit_value.sql

In case you added OAuthResourceID reference into RoleInit and error message changed to infamous “Object reference not set to an instance of an object”, make sure that you added correct ID existing in Authorization.OAuthResource table (trust me I’ve made this mistake and saw this error 🙂 ).

Admin consent has been granted before, but upon registering AAD service instance you keep getting admin consent request (4.7)

Problem here is incorrectly generated URL containing “&prompt=admin_consent” parameter (that has been fixed in latest versions probably) but all you need to do is just manually remove this parameter during the very end of URL in opened browser window. This problem sometimes referred to as “admin consent loop” 🙂

I will be extending this list with other error messages as I encounter them.

Please follow and like us:
error0

How to: Join Windows Server 2012 Core to domain

Since Windows Server 2012 allowed add/remove of GUI “on the fly” via Uninstall-WindowsFeature/Ininstall-WindowsFeature and their aliases amount of questions “How do I do X in Server Core” decreased drastically as there is now universal lazy man response to this – temporarily add GUI do thing X and remove GUI again. Not always time efficient but effective 🙂

Anyhow almost everything can be done without GUI. Here is your option to perform domain join operation for server core box:

1) Old-school crutch sconfig 🙂 Option (1):

sconfig

You may see that it actually uses in netdom.exe in the background when it asks for password:

sconfig domain join

It even suggest you to change computer name in case you forgot do it in advance:

sconfig domain join - computer name change prompt

Assuming you entered correct password and DNS/IP settings allow you to locate and reach out domain controller you will receive reboot prompt in the end of this process:

sconfig domain join - restart prompt

Once restart is performed you can verify the results either via WMIC or PowerShell:

sconfig domain join - verify via WMIC or PS

2) Add-Computer commandlet.

3) djoin command. This one allows to perform offline domain join.

djoin

There is also related dsadd command but this can only be used to pre-create computer account in domain. This utility will create a computer account in the domain, but will not join the local computer from a workgroup to a domain.

 

Please follow and like us:
error0

Latest K2 versions and IE8 support

For customers using K2 smatforms it is not a revelation that IE8 is not something fully supported. In fact IE8 support has been imited to end-user runtime execution only – K2 smartforms runtime, K2 workspace (Home Page, Reports Runtime, Worklist and Single Sign-On) and K2 web parts since K2 smartforms 1.0. And IE8 support was dropped entirely starting from K2 smartforms 4.6.9. It seems to be that it was high time to do so as investments in maintaining compatibility with a piece of software originally released back in March 2009 does not seem to be justified.

IE8 About

Those shops where for one or another reason IE8 is still being used would be interested in freshly published K2 KB entitled “Known issues when running Forms or the Forms Viewer web part in Internet Explorer 8 or IE8 Compatibility mode” which gives detailed overview of issues you may encounter when using latest versions of K2 smartforms (4.6.9, 4.6.10) and IE8.

Please follow and like us:
error0

Garbage in garbage out

Found this nice quotation in “Governance of IT: An executive guide to ISO / IEC 38500” by A. L. Holt:

\n\n

On two occasions I have been  asked [by members of Parliament], Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?’ I am not able to comprehend the kind of confusion of ideas that could provoke such a question.

\n(Babbage 1864)

Please follow and like us:
error0

Number of connections for full mesh topology

In full mesh topology the number of connections required per given number of nodes grows as a power of 2. General function for the number of connection in full mesh:

f(x)=(x^2-x)/2

x – number of nodes in the network, f(x) – number of connections

So for 2 nodes you need 1 line, for 3 – 3, for 4 – 6, for 5 – 10 etc.  

Please follow and like us:
error0