I have two web applications on the same IIS 7 server and both are in the same application pool. I have visually verified each and every setting on the web applications and in the web configs. One application will submit to K2 and pass credentials and the other one won't. The code to create the process was copied out of the process that is working. The only difference that I can see is that one is a web service and one is a web form. I am out a loss on this one and I have been searching the we for hours. Any help on what this could be would be appreciated.
Page 1 / 1
Hi,
Could you perhaps give me a detailed description of your environment? I guess you have a distributed environment and Kerberos is failing?
If you are not using host headers you should have one set of HTTP SPNs for both web applications i.e. HTTP/server and HTTP/SERVER.DOMAIN.LOCAL set on the application pool identity because you are using the same application pool. Using IIS 7 you can use the Configuration Editor to edit the web.config's - verify that useAppPoolCredentials have been set for the applications as well as useKernelMode and that the providers are set to Negotiate,NTLM.
Configuration Editor usage:
Section(DropDown): System.WebServer > Security > Authentication > WindowsAuthentication.
Hope this helps.
Regards,
Frikke!
I have one test web server and one k2 server. Both web apps are running on the web server. No K2 components are installed on the web server. I compared the configuration on both apps and they were the same.
useapppoolcredentials set to false
usekernelmode set to true
two providers NTLM, Negotiate
Please attempt to set the useAppPoolCredentials to true for the WebApplications and try again. Also, to the right of the Sections drop-down, there is From(Config files) drop-down, double check all the config files in this drop-down.
Regards,
Frikkie!
Tried all of these and still not working. Talked with connie on the phone. He seems to think it is an spn issue. going to set up spn's to see if that will work. I thought if you set the computer to trust delegation in AD, you didn't have to set spn's.
Yes, you'd need SPNs when you using delegation, they go together. One is like the telephone post(SPN) and the other is like the wire(DELEGATION).
I'd suggest for Coenie to help you on this as he has done this a few times and will make your life a bit easier.
Regards,
Frikkie!
Unfortunately he was not able to help on this. So I started using a workaround where I submit as a service account and display user info only. This has worked up till the last part of setting the actions on the worklist item. When I pull the actions they don't list out but they are in the worklist webpart but not in my code.
I have seen this issue twice, both times it was because I was using firefox. Once on the workspace, once through sharepoint. Both times using IE passed the credentials correctly and worked.
This error (64007 Provider did not return a result for K2:NT AUTHORITYANONYMOUS LOGON on GetUser) being logged is due to a change implemented in 4.6.9 onwards to not hide any ADUM/Identity error anymore; when using "ClientWindows/K2 pass-through" authentication.
This error only logged when the Viewflow is open but does not affect any functionality of it. There is an existing feature request to suppress these error messages/re-qualify them as a "Warning" level messages so that they not logged on default logging level.
In case you switch from "ClientWindows/K2 pass-through" authentication to Kerberos you will get rid from this error message too. And configuring Kerberos involves creating SPNs as well as configuring delegation for WTS.
Reply
View our Community Site Map
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.