This blog post is just a short walk-through explaining how to switch your K2 environment from Windows to Forms authentication. Just to provide you an example of when you may want this – you can use this configuration when you want to get password prompt on token expiration while all your forms users working from domain joined workstations belonging to K2 server domain (that means that STS token refresh will be happening without any extra password prompts using existing Windows user credentials to obtain STS token).
Required steps are described in K2 documentation (look under “Forms Authentication”) but at the moment it does not mention some required steps which we will cover here.
To switch over to Forms Authentication you first need to navigate to K2 Management > Authentication > Claims > Issuers section of K2 Management site:
There you can select K2 Forms STS and Click Edit button to enable “Use for Login” option of this issuer:
Once you enabled this option, switch over to Authentication > Claims > Realms:
Here you need to edit every realm and link K2 Forms STS issuers to it (depending on your needs you can do that only for some realms):
Once you do that your realms should have K2 Forms STS visible in LINKED ISSUERS column:
At this point if you restart your browser and try to access K2 sites you will be presented with login method selection which looks as follows:
If you don’t like this dialog or do
not need to use multiple logon methods just uncheck
“Use for Login” option for K2 Windows STS issuer, with such configuration you will be getting immediate form authentication prompt on attempt to access K2 site (and after K2 STS token expiration). This is how it looks like:
Up to now we were following steps from K2 documentation and completed them but if you try to login with correct credentials you may see the following error:
Error message has the following text:
Claim mapping configuration cannot be found for this claim. Claim information: Name='DENALLIX\administrator', Issuer='FormsSTS', Original Issuer='FormsSTS'. Please ensure that you have configured the K2 server as specified in K2 Help: Installation and Configuration > Configuration > SharePoint > Claims-based Authentication.
at SourceCode.Hosting.Server.Runtime.HostSecurityManager.GetClaimsUserName(String tokenXml, ClaimsTokenType tokenType, ClaimsVersion claimsVersion)
at SourceCode.Hosting.Server.Runtime.HostSecurityManager.AuthenticateIIdentitySession(String sessionCookie, String tokenXml, ClaimsTokenType tokenType, String connectionString, String authReqSource, ClaimsVersion claimsVersion)
This error and corrective actions to it do not mentioned in product documentation. To fix this you have to do the following:
1. Edit K2TokenService.exe.config located in “%K2_INSTALLATION_ROOT%\Token Service\Bin\” adding your K2 service and K2 application pool accounts into allowedCallers section as shown below:
Here is sample of allowedCallers section text:
<add value=”denallix\k2webservice” />
<add value=”denallix\k2service” />
2. Save your changes and restart K2 Claims To Windows Token Service aka K2WTS (you can use PoSh command for that – Restart-Service K2WTS).
After performing these steps you will be able to logon to K2 sites using forms authentication.