Skip to main content


 

Symptoms

 


When browsing to the Viewflow, Smartforms Designer or Runtime, a redirect happens out of the box to K2's Security Token Service in order to create a claim for the user attempting to access the site. When this redirect happens, an error is seen when the redirect hits http(s):///K2HostHeader]/Identity/sts/Windows with the following message:

"An error occurred trying to authenticate the user"

The stack trace thereafter typically denotes a problem with accessing a domain or a specific CN or OU.
 

 

Diagnoses

 


This error message, when happening on the Windows STS, typically indicates a problem with the Active Directory "GetGroups" API method K2 invokes to gather properties of group memberships for the user in order to store those in the claim K2 creates for the user.

This originally started because K2 only added the user info to the claim created by the windows STS as well as the group SID’s. Then K2 received a feature request to add the group names that a user belongs to directly into the claim, so that customers can set access permissions for groups in IIS. As IIS could not handle permissions if it only had the group SID’s in the claim, K2 implemented the requested feature to add the full group name by calling GetGroups on the userPrincipal object in the Windows STS when building the claim.

But, the GetGroups method also resolves the group details, and when doing this, has to connect to the ADDOMAIN the group belongs to. This means that whenever there is an offline domain, a permissions issue, or any exception from AD when calling or looping through the GetGroup method, the WindowsSTS authentication fails as it stops executing when there is an exception, which is what the "An error occurred trying to authenticate the user" error is caused by.
 

 

Resolution

The recommended approach is to resolve the access problem at the user or domain level.

As a workaround, you can add the following key to the K2 windows STS web.config file and performing an IIS reset:

In /install drive]:Program Files (x86)K2 blackpearlWebServicesIdentityStsWindowsWeb.config”

<add key="AddGroupsToClaims" value="false" />


This allows K2 to bypass the GetGroups method and return to how it functioned prior, which was just pulling in the Group SIDs for the membership of the user attempting to use K2 on the three mentioned sites. However, this has the potential of deprecating proper functionality with IIS authorization rules and permissions given at the group level.

 

 



 
Be the first to reply!

Reply