K2 and AAD manual integration configuration – errors and solutions

Even after doing 3-5 installations which leverage manual integration between K2 and active directory I keep bumping into errors which at times take disproportionally large amount of time to decipher them and pin point that tiny/silly error in configuration settings which prevents your setup from working. So I decided to collate them all into the “symptom-solution list” and keep in one place – i.e. in this blog post.

AADSTS50011: The reply url specified in the request does not match the reply URLs configured for the application


AADSTS50011

That most likely means that Token Endpoint Reply URL is not specified in your AAD app properties. That URL should look as follows https://{K2SiteURL}/identity/token/oauth/2 and you need to make sure that it is added in your app Settings.  You do that in Azure Portal > Azure Active Directory > App Registrations > %Your_K2_App_Name% > Settings > Reply URLs. 

Add required URL and be sure to wait something like 30 seconds at least after applying this change and try logging in again.

AADSTS700016: Application with identifier ‘%APP_URL%’ was not found in the directory ‘%AZURE_DIRECTORY_ID%’

AADSTS700016

dThis error message means either mismatch between identifierUris listed in your app manifest file and URL reported in error message or absence of these URLs in app manifest. Your K2 AAD app manifest file should contain your Runtime and Designer URLs, as shown on the screenshot below:

One thing to remember here is that when you edit App ID URI from AAD app properties and put updated value there it overwrites your identifierUris list in app manifest values – it removes your Designer and Runtime URLs from there (and anything else listed there) and puts updated App ID URI value there, which will give you  AADSTS700016 error.

Claim mapping configuration cannot be found for this claim. Claim information: Name=”

This was the one I wasted hours of troubleshooting time triple-checking all my configuration and asking each and everyone to help me spot what is wrong with my set up, only to discover that I tried to perform logon with my Azure tenant admin account which was listed in AAD users list as account with “Microsoft Account” source whereas it is necessary to create a user in AAD (all of those listed in AAD Users list with “Azure Active Directory” specified in Source column). I’m not 100% sure if this problem can be better handled on K2 side to present more actionable/clear error message – one we have here nudge you into direction of checking identity claim mapping while in this scenario problem is completely different.

Unable to search against AAD label in K2 Management UI – URMService error: Unable to find AAD token. OAuth resource is null

Unable to find AAD token. OAuth resource is null.

I run into this while going through manual AAD integration configuration process and not quite sure whether I missed some step in the process, but I’ve end up in the situation when I could logon into K2 Management using AAD account, but was not able to grant any Server rights to my AAD users as search against AAD label in K2 management was throwing this error. At the same time I had cached token for K2 service account created through registration of AAD service instance in tester tool and AAD Service Instance SmartObjects in Tester Tool were working just fine.

This issue is caused by the empty value in RoleInit for AAD label, i.e it contains something like this:

<roleprovider />

while it should contain reference to OAuthResourceID , i.e. something like this:

<RoleInit><OAuthResourceID>%OAuthResourceID_GUID%</OAuthResourceID></RoleInit>

So grab your OAuthResourceID from Authorization.OAuthResource table and update AAD security label RoleInit value using this script:

https://github.com/mikerodionov/ps-scripts/blob/master/K2/Update_RoleInit_value.sql

In case you added OAuthResourceID reference into RoleInit and error message changed to infamous “Object reference not set to an instance of an object”, make sure that you added correct ID existing in Authorization.OAuthResource table (trust me I’ve made this mistake and saw this error 🙂 ).

Admin consent has been granted before, but upon registering AAD service instance you keep getting admin consent request (4.7)

Problem here is incorrectly generated URL containing “&prompt=admin_consent” parameter (that has been fixed in latest versions probably) but all you need to do is just manually remove this parameter during the very end of URL in opened browser window. This problem sometimes referred to as “admin consent loop” 🙂

I will be extending this list with other error messages as I encounter them.

Leave a Reply

Your email address will not be published. Required fields are marked *