Symptoms

An error occurred trying to authenticate the user.
 

Diagnoses

Any users apart from the service account who attempts to navigate to the designer or forms will get the following error

Error
An error occurred trying to authenticate the user.

More Details

Exception Details:
System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: A local error has occurred. ---> System.DirectoryServices.DirectoryServicesCOMException: A local error has occurred. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) --- End of inner exception stack trace --- at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String prope


Example URL that produces above errror:
http://dlpwblpmp01-tst.cprod.corp.ntgov/designer/


The following url is working fine
http://dlpwblpmp01-tst.cprod.corp.ntgov/workspace/Navigation/Navigation.aspx


We have tried this on the server itself with the k2 service account and works perfectly fine.
My user account has been given admin role in the workspace.

The k2 server and service account sit on a different domain from the users. We recently got k2 talking to our users domain which has allowed the users manager to browse the domain the users are on.

 

Resolution


So it would seem your configuration should be fine going forward . See below for a more technical explanation .

So the allowed caller is for the K2 Claims to Windows token Service

This service is used to convert claims tokens to Windows tokens for off-box authentication and impersonation that requires a Windows token, such as SQL Server.
http://help.k2.com/kb001607

Here is a couple of other links that might explain a bit more.
http://community.k2.com/t5/tkb/articleprintpage/tkb-id/TKB_blackpearl/article-id/220
http://community.k2.com/t5/K2-blackpearl/Contrained-Delegation-Error/ta-p/81645

An administrator must configure the c2WTS with a list of allowed callers, which is the list of security identifiers (SIDs) in the allowedCallers element in the Microsoft.IdentityModel section of the configuration file, located in the version folder inside your WIF installation folder. For example, if you installed version 3.5 of WIF to C:Program Files, the c2wtshost.exe.config file is located in the <> folder.

https://msdn.microsoft.com/en-us/library/ee517258.aspx
http://mikerodionov.com/tag/k2-windows-token-service/