Tag Archives: K2 Workspace

K2 Mobile Applications – Updated landing page

It used to be somewhat confusing with two mobile apps (K2 Workspace and K2 Mobile) for two platforms (iOS and Android), but recently updated K2 Mobile Applications help landing page makes things clear right off the bat making it easy for you to navigate to the right information:

K2 Mobile Applications Documentation Landing Page – App Version and Platform selection

There is also couple of useful links on the bottom of new landing page, namely Distributing K2 Mobile Application with MDM and K2 Mobile Support Policy:

K2 Mobile Applications Documentation Landing Page – Additional Resources

Really good job on K2 documentation team side ūüôā I really see that product documentation becomes better and easier to use.

Freshly installed K2 – unable to access K2 workspace with HTTP Error 401.2

I’ve recently did some quick and dirty installation of K2 4.6.11 on Server 2008 (non R2) hence all you have there is PoSh 2.0 it is not possible to use amazing K2Field.PreReq script to take care about all the prerequisites (it will work for server 2012-2016). So I just went ahead and tried to satisfy complaints from K2 blakcpearl setup manager as I go adding IIS along with¬†KB980368 as indicated by Setup Manager. Alas after installing I was not able to access K2 Workspace with the following error:

“You are not authorized to view this page due to invalid authentication headers.” Why? Quick check of K2 Workspace site authentication showed that Windows Authentication is missing, while according to K2 documentation (source)¬†K2 Workspace does not function if IIS is not configured correctly. Configure the IIS application pool Managed Pipeline mode setting to Classic and ensure that:¬†¬†

  • Windows Authentication is enabled
  • Anonymous authentication is disabled

So I just went ahead and added Windows Authentication role service and all started work correctly after this. It tells us that: A) K2 setup manager created site config file correctly specifying required authentication method, it just was not installed/available B) Not sure why K2 Setup Manager does not have built-in check to flag this at the installation stage. C) Read up documentation carefully, in this case this page.

Initialization failed before PreInit: Unable to establish a secure connection with the Active Directory server

The other day I had a support case where temporary outage of AD DS infrastructure caused K2 workspace to enter into the error state where it started throwing the following error:

“An error has occurred.

Please contact your administrator.


Initialization failed before PreInit: Unable to establish a secure connection with the Active Directory server.

Possible causes

– the ADConnectionString in the K2 Workspace web.config may have an incorrect LDAP path.

– the physical connection to the Active Directory Server might be down.

– please review log files for more information.”

Just for lazy readers and those in a hurry: Bump into error above? Try Recycle Application Pool which runs your K2 Workspace (default application pool name is “K2”).

The tricky thing here that it is really easy to miss short period of AD outage and start “fixing” K2 instead. But in case this is an environment which used to work and you are sure ¬†that no changes were made in K2 configuration recently then it is just an issue caused by AD DS outage.

When K2 Workspace is loaded it attempts to establish the connection with AD as the application pool account. If there is an issue with accessing AD under this account it leads to above mentioned error. What can be wrong with this account? It can be disabled or locked out in AD but also after AD DS outage it may be necessary to perform K2 workspace application pool restart to force it to reconnect to AD DS. Now the interesting thing here is that a lot of people trying to use a big hammer immediately, i.e. iisreset and it may not fix this issue sometimes (according to my experience) leaving you wondering why IIS reset does not fix this, where as just K2 Workspace application pool restart does.

In attempt to remove any confusion you mat want to read up a bit on iisreset VS Recycling Рand good explanation of this can be found here. Your main take away from that post should be understanding of IIS architecture and its 3 main components:

IIS Architecture 2

Image source –¬†IIS7 For Non IIS PFEs

Three components are the following:

  1. HTTP.SYS (runs in Kernel Mode).  This component responsible for client connection management, routing requests from browsers, and managing response cache.
  2. Worker Processes (run in User Mode). If you look at the picture above that we may also have so called Web Garden which is nothing more than application pool which allowed to use more than one worker processes by means of setting “Maximum number of worker processes” to a value higher than 1. Web garden feature has been designed for one purpose which is “Offering applications that are not CPU-bound but execute long running requests the ability to scale and not use up all threads available in the worker process.” Leaving out Web Gardens each Application Pool has one specific worker process within which it is running (W3wp.exe). Worker process¬†handles all the contents (aka static contents), such as HTML/GIF/JPG files, and runs dynamic contents, such as ASP/ASP.NET applications. Therefore, the status of W3WP process (=Application Pool) is critical for the performance and stability of web applications, or web sites.
  3. IIS Admin Services (run in User Mode). Prior to IIS7 there used to be IISADMIN service which used to host the IIS 6.0 configuration compatibility component (metabase). The metabase is required to run IIS 6.0 administrative scripts, SMTP, and FTP. Starting from IIS7 we have Windows Process Activation Service (WAS) which manages application pool configuration and worker processes instead of the WWW Service. This enables you to use the same configuration and process model for HTTP and non-HTTP sites.

OK it seems I went in too much of details here and now have to get back to main topic here: main thing for you to know is what actually happens when you execute iisreset. It actually restart IIS services (all of them) and for most of us this is exactly what we expect and this is what may make you wonder about why IIS reset does not fix an issue, where specific application pool restart does it? Sounds strange…

I would venture to suggest that iisreset may fail to restart some of specific w3wp processes sometimes but after spending couple of hours searching through the web and doing couple of quick tests this does not seem to be the case. But what I can say based on above mentioned article you should actually prefer Application Pool recycle anyway.

On a side note I would also be aware of the following iisreset keys:

iisreset /status

Output of this will look as follows:


It gives you current status of all IIS services as well as what exactly will be restarted by iisreset.

iisreset /noforce

This parameter prevents the server from forcefully stop worker processes process. This can cause IIS to reset slower but is more graceful. With this parameter it is a compromise between lowering downtime and trying to be less disruptive to what is already running.

And just to confirm iisereset executed without any keys is the same iisreset /restart

Getting back to K2 Workspace issue mentined in the very beginning of this article my advice is try to Recycle your K2 workspace application pool – it is preferable and less disruptive action than iisreset.¬†When you recycle an application pool, IIS will create a new process (keeping the old one) to serve requests. Then it tries to move all requests on the new process. This is known as “overlapped recycling” as opposed to “process recycling” and it is default behavior for all IIS application pools.

In case it did not help you to resolve “Initialization failed before PreInit: Unable to establish a secure connection with the Active Directory server” error in K2 Workspace below are some K2 side checks to do.¬†Make sure that:

  1. K2 Workspace site is running in IIS Manager (not Stopped)
  2. Application Pool designated to run this site and applications therein are running as well. If they are not running, the service account running the K2 Workspace application pool may be locked in Active Directory.
  3. Make sure the Workspace Application Pool account has at least read access in AD for the newly added domain (in case you added any) or in one which you always had. When Workspace is loaded it attempts to establish the connection with AD as an application pool account.
  4. Try including the domain controller name and LDAP port number in the LDAP connection string as follows:
    <add name="ADConnectionString2" connectionString="LDAP://[DomainControllerName]:[port]/MyDomain.com" />


    <add name="ADConnectionString2" connectionString="LDAP://[DomainControllerName]/MyDomain.com" />
  5. If you continue to get the same error you may try using the Distinguished name format for the domain instead, for example:
    <add name="ADConnectionString2" connectionString="LDAP://[DomainControllerName]/DC=MyDomain,DC=com" />

If after checking all these things issue still persist consider enabling TracingPath in the Workspace web.config, to get a more detailed debug output from the PreInit error.


K2 blackpearl Workspace security management

Sooner or later after you done with¬†your initial implementation of K2 question of restricting access to K2 Workspace being brought up by somebody and though your configuration options are not very flexible here there is a way to do it (KB000291), the thing is that you should not rush into making changes into this area without reading documentation first (don’t tell me that it is what you normally do all the time).

What quite often happens here is as soon as a person charged with this task finds “how” part of it he/she rush to configure it without reading into any details, like those mentioned in “Other Considerations” section of KB000291. I believe that mindset “try first, read manual later” which is very popular in IT, somewhat difficult to resist as it is largely being instilled into you by technology itself (both hardware and software), which is and always was built with “fool-proof” design patterns in mind, trying to be forgiving and allow for rollbacks and easy correction and¬†handling of errors. Anyhow people often configure something first, and then comes that moment of “now what/how do I fix this”?

When it comes to K2 blackpearl Workspace security management you should know beforehand the following about the way that the tabs in Workspace function:

1. With a new installation, no-one has explicit permissions, Workspace will function in optimistic security mode, meaning everyone can see the tab.

2. As soon as a user has been assigned explicit permissions on a tab, it will switch to pessimistic security mode. Meaning that a user will need explicit rights to see the tab. If a user is not on the list, they will not be allowed to see it and this is what is occurring in your environment.

So typical error when customizing K2 workspace security is granting rights only to one user (you should never left your admin account without these rights) which may left the company for example, or what we can deem a “double-mistake” here is granting these rights to only one user which in addition doesn’t have admin level rights on K2 server, thus you are leaving yourself with no opportunity for subsequent corrections via normal, GUI way.

In case you haven’t done double-mistake mentioned above you can easily correct this situation. To fix this, you just need to log in as a user who has been granted permissions and then assign permissions to those that you want to grant access (please grant those to your dedicated K2 admin account), using the Workspace Permissions option in the Security tab.

If case you are not sure which user has permissions, have a look at the ActionPermissions table in K2 databse:

SELECT UserName FROM ActionPermissions

WHERE actionid =

(SELECT ID FROM [action] WHERE [name] = 'Management Console')

Made an epic “double-mistake”? I.e. granted rights to one user without server level administrative rights in K2 and now not able to edit permissions despite this user can access required tabs? This means that you are reached the section of¬†KB000291¬†entitled “Error Resolution” which you supposed to read before playing around with Workspace security settings. And I’m quote this section:

If this happens, it will be necessary to manually modify the SQL databases to reset all Workspace permissions. It will then be necessary to specify all the permissions again. Please contact K2 Support prior to modifying any of the K2 databases or data stored in them.

So you have to reset your permissions to their defaults (no explicit permission, optimistic security mode). It requires direct edits in your K2 DB which is considered to be thing to avoid whenever it is possible and should only be performed by you in case you know what you are doing and more importantly you know how do you rollback your change if anything goes wrong. So you should use do it with full understanding of risks involved.

It will suffice to issue the following SQL server statement against your K2 DB:

TRUNCATE TABLE Workspace.ActionPermission

But you never do this without doing K2 DB backup first and reading preceding couple of paragraphs, right? I really hope so.

Another frequently asked question around K2 workspace permissions is revolving around the fact that you may see that they are not fine-grained enough and not fully in-line with RBAC ideology/approach. To these questions there is no easy answer with current implementation of K2 Workspace but things should become way better with complete overhaul of this part of K2 which is planned to be released at some point, but real particulars of this change and what we get with it are under NDA at this point.

K2 Process Instances report: “This report has been limited to 1000 rows”

The other day I was asked about default limit you may see in K2 workspace when accessing, for example, Process Instances report for particular process (K2 Workspace > Process Overview > Process Instances).


Here is the message about default limit which you may see when surpassed it (This report has been limited to 1000 rows):


Well the main difficulty for me was that in my test environments I don’t usually see that much process instances, so to reproduce and verify respective settings was kind of a problem for me. There is a section at help.k2.com which mentions briefly configuration setting we need to adjust but not exactly and without going into much of details –¬†Custom Reports – Create Report Wizard. From there we may infer that the setting we need to adjust is “RowLimitRecordCount“, and the next thing is to change it and test. But like I said testing this may be difficult if you don’t have 1000+ process instances running in your environment (it could be that your test environment even doesn’t have any process deployed yet). And you don’t want to run 1000+ process instances by doing 1000+ mouse clicks, right? Let’s consider how to go about this problem first.

Luckily enough at help.k2.com you may find information on “Starting a K2 Process using the Windows Powershell”¬†which is a good starting point for solving our little problem. So starting from that I created following PS script running number of process instances required for my test:

$i = 0

Do {


[System.Console]::WriteLine("Starting K2 process instance" + $i)

Add-Type -AssemblyName ('SourceCode.Workflow.Client, Version=, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d')

$conn = New-Object -TypeName SourceCode.Workflow.Client.Connection


# Adjust line below by specifying your workflow name

$pi = $conn.CreateProcessInstance("Project_Name\Workflow_Name")



# Adjust line below to create required number of instances

While ($i -lt 1000)

[System.Console]::WriteLine("Done: " + $i + " process instances started")

This code will run as much instances of a specified process as you specify in “While ($i -lt 1001)” line (lt is quite queer/unconventional operator which PS uses for “less than”). Another line you most likely have to edit is “$pi = $conn.CreateProcessInstance(“Project_NameWorkflow_Name”)” – I hope this is quite self-explanatory.

If you don’t have any workflows deployed then for this particular test all you need is just go to K2 studio and drop Default Client Event and next terminate it with Placeholder Event, then deploy this test workflow. Process with only Placeholder Event won’t suffice for this test as its instances will go into completion immediately and you won’t get multiple instances¬†running simultaneously with such process.

Once you have large number of instances running you may see the message about the row limit mentioned in the beginning of this post and test change of¬†“RowLimitRecordCount” value. Now it’s high time to adjust the¬†RowLimitRecordCount value in¬†web.config file located in <install drive>:\Program Files (x86)\K2 blackpearl\WorkSpace\Site. Based on its default (1000) value and description we saw at help.k2.com for it this should be the one we need. But quick test will show us that increasing it doesn’t work for described problem. OK, maybe we just forgot to perform IIS reset which is necessary for web application to pick up the settings? Nope, IIS reset is necessary but this doesn’t help us to increase this limit.

Next thing which we may look at is OOBReports.xml file in the same location as aforementioned web.config file. It also do contain RowLimitRecordCount value which is actually controls the returned rows limit for Process Instances report (and judging by its name of other OOB reports too). And yes IIS reset is required for this change to take an effect. You may easily make sure that the same setting in web.config file controls the limit for custom reports if you quickly create custom report (you may be unoriginal and simply create Process Instances reports using Report Designer) and test this. You will be able to see the same message on a slightly different custom report layout and verify that this limit is controlled by setting in web.config file:


Other interesting thing which may be adjusted by editing OOBReports.xml file is¬†whether deleted process instances should be included in reports. With regards to this setting you may adjust global default value for “IncludeDeletedStatus“, and also enable or disable¬†the users capability to adjust this setting via the User Interface by changing the”DisableUserSetting” to False or True.