Upgrading to K2 blackpearl 4.6.8: Constrained delegation is not enabled for the Active Directory account”

OK probably not a timely post given the fact that 4.6.9 is about to become available, but anyway. The other day I was asked the following question:

“We upgrading from 4.6.5 to 4.6.8, and getting an error in K2 Confguration Analysis:

Analysis Result: Failed.

Constrained delegation is not enabled for the Active Directory account: %SERVERNAME%

The K2 Windows Token Service is a Windows Identity Foundation (WIF) feature that extracts UPN claims from SAML tokens and generates Windows security tokens. This allows K2, as the relying party, to impersonate a claims user for access to a line of business system, such as SQL.

Important: If you have configured Kerberos in your environment, a domain administrator must configure constrained delegation in Active Directory. For more information see the link below.

URL http://msdn.microsoft.com/en-us/library/ff649317.aspx, : Text How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 (MSDN)

This seems to be strange as all (including Kerberos stuff) was configured for 4.6.5, why this error? What’s new was added in 4.6.8 that gives us this error/requires extra configuration steps?”

Well at the time I was asked this there was no nice K2 KB published, but it is available now and explaining this neatly – KB001607 – Delegation Settings to enable K2 Windows Token Service to impersonate using Kerberos.

Basically 4.6.8 introduced K2 Windows Token Service which is installed on the all servers where K2 Designer, K2 smartforms Runtime and K2 View Flow components are installed. Things to know about it:

– K2 Windows Token Service is a Windows Identity Foundation (WIF) feature that extracts UPN claims from SAML tokens and generates Windows security tokens. This allows K2, as the relying party, to impersonate a claims user for access to a line of business system, such as SQL.

– Installed on the all servers where K2 Designer, K2 smartforms Runtime and K2 View Flow components are installed

– It runs under the local system account

– If Kerberos is being used in environment (which is the case for most production deployments), a domain administrator must configure constrained delegation for HTTP for both the server name as well as the FQDN for each of the following servers: K2 smartforms runtime server, K2 Designer server, K2 Workspace server (this hosts the K2 View Flow component)

–  Even if constrained delegation was previously configured for these servers when older than 4.6.8 version of K2 was installed you need to add the constrained delegation settings required for the K2 Windows Token Service (see above)

Well statement ” K2 Windows Token Service is a Windows Identity Foundation (WIF) feature that extracts UPN claims from SAML tokens and generates Windows security tokens. This allows K2, as the relying party, to impersonate a claims user for access to a line of business system, such as SQL.” seems to be clear, but if you really want to understand it you need to know all the terms/concepts mentioned 🙂

So some definitions below:

By itself WIF is a Microsoft software framework for building identity-aware applications, which provides APIs for building ASP.NET or WCF based security token services as well as tools for building claims-aware and federation capable applications. It used to be shipped as separate product, but now it is part of Microsoft .NET Framework v4.5.

And as per Microsoft documentation:  “Any service that relies on the Claims to Windows token service (C2WTS) must use Kerberos constrained delegation to allow the C2WTS to use Kerberos protocol transition to translate claims into Windows credentials.”

Related K2 community KB: Analysis fails after upgrading from 4.6.x to 4.6.8: Constrained delegation is not enabled for the Active Directory account

Leave a Reply

Your email address will not be published. Required fields are marked *