Symptoms

adding a 3rd domain
 

Diagnoses

I followed the steps we took to add a second domain now for a third domain, but now after making the config change and restarting services I get the following error when opening the Workspace.

An error has occurred.
Please contact your administrator.
Error:
Initialization failed before PreInit: Unable to establish a secure connection with the Active Directory server.
Possible causes
- the ADConnectionString in the K2 Workspace web.config may have an incorrect LDAP path.
- the physical connection to the Active Directory Server might be down.
- please review log files for more information.


 

Resolution

The K2 Workspace web application is essentially a ASP.NET web application that makes use of the ActiveDirectoryMembershipProvider Class of the System.Web.Security Namespace that will try to bind to the LDAP string specified in the web.config using the Application Pool service account.

When using a third party tool (Softerra Ldap Browser) and running as the Application Pool service account, the error "A referral was returned from the server" similar to the error in the ADUM error logs after configuring the same LDAP for the K2 Label user manager. After some troubleshooting was done on the client's side the error Softerra returned was COM: "A local error occurred".

Working with the AD admins, a Kerberos error was found on the domain controller that was addressed. Afterward, testing the LDAP connection string was successfully from Softerra and as such the corresponding LDAP connection string was configured for K2 Workspace.

A good blog to start with LDAP bind troubleshooting is:

http://world.episerver.com/blogs/Daniel-Ovaska/Dates/2013/2/How-to-solve-problems-with-the-ActiveDirectoryMembershipProvider-and-similar-ldap-integrations/

This blog makes use of the tools:
- Softerra LDAP browser
- Zenmap

Enabling Kerberos logging on the relevant servers may provide more details:
https://support.microsoft.com/en-us/kb/262177