Tag Archives: K2

K2 Setup Manager: The selected user needs to have Domain Users privileges to proceed

Once in a while you can bump into a warning from K2 Setup Manager which says: “The selected user needs to have Domain Users privileges to proceed” on K2 Site Application Pool Configuration which looks as shown below:

The selected user needs to have Domain Users privileges to proceed

I was not able to confirm what exactly triggers this, but I do know that it happens while specified user in fact has Domain User group membership and I saw it with both K2 4.6.x and K2 Five installers. Good news that bypass this blocking warning is easy – you just need to edit Product.config file in your installation directory and set domainusercheck value to false as shown below:

Setting domainusercheck key to false

You will need to restart K2 Setup Manager after saving this change and you should be able to proceed without receiving any any warnings.

Please follow and like us:
error0

K2 Setup Manager – MSDTC is not configured correctly

The other day I’ve been doing installation of K2 4.7 on standalone (i.e. non-joined to domain) Windows Server 2016 machine with SQL Server installed locally on the same box, and bump into MSDT Network Access analysis result failure, receiving error shown below:

MSDTC Network Access Analysis Result: Failed

That’s quite a standard warning which explicitly says you what kind of check boxes you need to tick in Local DTC Properties (be sure to use comexp.msc or dcomcfg commands to open Component Services snap-in). K2 Setup Manager will explicitly tell you what checkbox is not set as shown on sample screenshot below:

Configuration Analysis reporting MSDTC options not configured correctly

But if you look at the first screenshot – there is no incorrectly configured settings, and I was pretty sure that I know these settings quite well, having couple of old posts on the topic (see #1, #2). So I was a bit baffled by this warning. After consulting related K2 documentation section I realized that it also indicates that it is necessary to configure relevant firewall rules :

Enable and Configure the DTC Components

Configure firewall to allow MSDTC access with the following command:

netsh advfirewall firewall add rule name=”MSDTC” dir=in action=allow program=”%windir%\system32\msdtc.exe” enable=yes

Configure firewall to allow SQL Server access with the following command:
netsh advfirewall firewall add rule name=”MSSQLSERVER” dir=in action=allow program=”C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\Sqlservr.exe” enable=yes

These firewall settings must be activated on SQL server in order for MSDTC to work:

Distributed Transaction Coordinator (RPC)
Distributed Transaction Coordinator (RPC-EPMAP)
Distributed Transaction Coordinator (TCP-In)

Despite in my case SQL and K2 servers very hosted on the side machine I tried to add required firewall settings – and, somewhat naturally, it didn’t resolve the error. So it took me searching a bit more till I found relevant MSFT documentation (New functionality in the Distributed Transaction Coordinator service in Windows) which clarifies that “No Authentication Required” option must be used in the following scenarios:

  • The network access is between computers that are running Microsoft Windows 2000.
  • The network access is between two domains that do not have a mutual trust configured.
  • The network access is between computers that are members of a workgroup.

As you can understand having both SQL and K2 on the same server in workgroup mode translates into “network” access is between computers that are members of a workgroup. So to resolve K2 setup manager warning in this scenario it is necessary to tick “No Authentication Required” option in Local DTC Propertis:

Local DTC Properties – No Authentication Required

I do realize that installation on a member server not joined to domain is not the most frequent scenario (although it is if you install K2 on cloud servers non-joined to domains), it is sad that K2 installer does not report what kind of setting is necessary in the workgroup mode scenario – that goes into nice to have list of additional checks, but until it’s not there you have this post 🙂

Please follow and like us:
error0

How To: Re-configure your K2 environment to use forms authentication

This blog post is just a short walk-through explaining how to switch your K2 environment from Windows to Forms authentication. Just to provide you an example of when you may want this – you can use this configuration when you want to get password prompt on token expiration while all your forms users working from domain joined workstations belonging to K2 server domain (that means that STS token refresh will be happening without any extra password prompts using existing Windows user credentials to obtain STS token).

Required steps are described in K2 documentation (look under “Forms Authentication”) but at the moment it does not mention some required steps which we will cover here.

To switch over to Forms Authentication you first need to navigate to K2 Management > Authentication > Claims > Issuers section of K2 Management site:

K2 Management – Issuers

There you can select K2 Forms STS and Click Edit button to enable “Use for Login” option of this issuer:

K2 Management – Edit K2 Forms STS issuer

Once you enabled this option, switch over to Authentication > Claims > Realms:

K2 Management – Realms

Here you need to edit every realm and link K2 Forms STS issuers to it (depending on your needs you can do that only for some realms):

K2 Management – Edit Issuer

Once you do that your realms should have K2 Forms STS visible in LINKED ISSUERS column:

K2 Management – Linked Issuers Column

At this point if you restart your browser and try to access K2 sites you will be presented with login method selection which looks as follows:

K2 Login Method Selection

If you don’t like this dialog or do not need to use multiple logon methods just uncheck
“Use for Login” option for K2 Windows STS issuer, with such configuration you will be getting immediate form authentication prompt on attempt to access K2 site (and after K2 STS token expiration). This is how it looks like:

K2 Forms Authentication Logon Page

Up to now we were following steps from K2 documentation and completed them but if you try to login with correct credentials you may see the following error:

Server Error – Claim mapping configuration cannot be found for this claim

Error message has the following text:

Server Error
Claim mapping configuration cannot be found for this claim. Claim information: Name='DENALLIX\administrator', Issuer='FormsSTS', Original Issuer='FormsSTS'. Please ensure that you have configured the K2 server as specified in K2 Help: Installation and Configuration > Configuration > SharePoint > Claims-based Authentication.
More Details
at SourceCode.Hosting.Server.Runtime.HostSecurityManager.GetClaimsUserName(String tokenXml, ClaimsTokenType tokenType, ClaimsVersion claimsVersion)
at SourceCode.Hosting.Server.Runtime.HostSecurityManager.AuthenticateIIdentitySession(String sessionCookie, String tokenXml, ClaimsTokenType tokenType, String connectionString, String authReqSource, ClaimsVersion claimsVersion)

This error and corrective actions to it do not mentioned in product documentation. To fix this you have to do the following:

1. Edit K2TokenService.exe.config located in “%K2_INSTALLATION_ROOT%\Token Service\Bin\” adding your K2 service and K2 application pool accounts into allowedCallers section as shown below:

K2TokenService.exe.config – allowedCallers

Here is sample of allowedCallers section text:

<allowedCallers>

  <clear />

  <add value=”denallix\k2webservice” />

  <add value=”denallix\k2service” />

</allowedCallers>

2. Save your changes and restart K2 Claims To Windows Token Service aka K2WTS (you can use PoSh command for that – Restart-Service K2WTS).

After performing these steps you will be able to logon to K2 sites using forms authentication.

Please follow and like us:
error0

Start multiple workflow instances with PowerShell

You can find sample PowerShell script for starting multiple process instances in K2 Developer Reference, below you can find just slightly modified version which I am normally using. I’ve only added some variables to specify desired number of instances, project and workflow name along with folio value.

Please follow and like us:
error0

Unable to add/remove K2 Environment Fields – “You are not authorized to perform the requested operation”

In certain scenarios (for example, when you changed your K2 administrative accounts) you may see the following error when trying to add or remove Environment Field in Environment Library:

You are not authorized to perform the requested operation

This may happen even for user which has been assigned K2 Administrator role in Setup Manager when custom security was configured on Environment Library and it didn’t include this specific account.

To resolve this (providing you have account with administrative rights) just look into Security settings available under list of variables themselves when you navigate to Environment Library > %Environment Library Name%:

Environment Variable Security Settings

Just add required user assigning him Modify rights to resolve this issue.

Please follow and like us:
error0