Skip to main content

Hi Guys,

 
I'm having a strange issue, and  I was hoping some of you might have run into the same thing and managed to work around it.  Basically, I have installed K2 blackpearl on to a Virtual Server 2005 image running Windows 2003 Server.  I followed the install guide, and everything went 100%.  I have successfully created and deployed a test process, and I can see the workspace if I use IE from the K2 server itself (I remote desktop to the virtual pc, and open IE...).


The problem is that I cannot view the workspace from any other machine, except the virtual pc itself.  I get the following error if I try to connect from the other machines:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

The credentials I am using are the same as the ones I use when I remote desktop the PC (and have all the relevant privileges assigned), so I do not think that's the issue.  It just seems that the credentials I supply are not making it to the K2 server.  Network connectivity is there, I was able to deploy my test process to the server from the client PC.

This could easily be a configuration issue with how Virtual Server 2005 or the networking is set up, but I thought I'd ask here in case anyone has encountered it before 🙂

Some further info - I've enabled Kerberos logging, and found the following event when attempting to connect:

A Kerberos Error Message was received:
         on logon session

Client Time:
 Server Time: 10:54:0.0000 9/18/2007 Z
 Error Code: 0x25 KRB_AP_ERR_SKEW
 Extended Error:
 Client Realm:
 Client Name:

... 

 Error Text:
 File: 9
 Line: ae0
 Error Data is in record data.

 

Any help would be appreciated.  

 

Regards,

Daniel Barla-Szabo

Hi Daniel,


I've 'Googled' the error and got this:


http://technet2.microsoft.com/windowsserver/en/library/6ee8470e-a0e8-40b2-a84f-dbec6bcbd8621033.mspx?mfr=true


Authentication Errors are Caused by Unsynchronized Clocks.


Please see if this is the cause of your problem and let us know.


Regards,


Ockert

Hi Ockert,

Thanks, I ran into that same technet article shortly after I submitted my post.  I've been trying to figure out whether this could be the problem, but as far as I can see, the K2 server, the client PC and the DC's clocks are within a couple of seconds of each other.  It's definitely nowhere near the 5 minute tolerance setting which I believe is the default for kerberos... I'm not really sure where / what to look at next.

I'm not sure if this is 100% relevant, but in the meantime I've been able to get quick test website which uses windows authentication + identity impersonate to work.  I'm connecting from my dev machine to the K2 virtual PC (same way as I connect to the workspace) , and my test site impersonates my domain account (it outputs System.Security.Principal.WindowsIdentity.GetCurrent().Name as proof), and it works.  The only problem is that I'm not sure whether it's using NTLM or Kerberos (I have a feeling that it's NTLM...), but apart from that, I don't know what the difference would be?

-- Daniel.
 


 

Hi Daniel,


I assume your IIS and K2 [blackpearl] server are running on the same machine.  Maybe you should try to force NTLM authentication by setting the NTAuthenticationProvider to "NTLM" only.


Regards,


Ockert

I think I've stumbled on to a quick solution for the moment - I switched the URL from http://[machine name] to http://[ip address], and for some reason, it worked.  Unfortunately this doesn't really explain what the problem was in the first place.

I will probably try out the NTAuthenticationProvider setting, thanks for all your help!

 --Daniel.
 

 

Hi,

I faced the same problem, even the URL/IP issue...

First off, check the configuration of the SPNs, Application Pool, and all-related values in the IIS metabase.

A workaround for this, you use NTLM as your authentication mechanism. Reconfigure the IIS metabase as the following:

  • adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

Also, change the K2 WorkSpace web site in the IIS in the same way with the site's identifier "You can get the site ID from the IIS Manager":

  • adsutil.vbs set w3svc/K2_WORKSPACE_SITE_ID/NTAuthenticationProviders "NTLM"

don't forget to verify those metabase values:

  • adsutil.vbs get w3svc/NTAuthenticationProviders

You should see NTLM only... and it should work! 🙂

 
Cheers,

Saleh
 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings