Skip to main content
Hey everyone

I am going to use sql db instead of ad. Requirement here is that once user log in thought login page which already exists , he can start the process and then can stroll to the my workspace link. this link will open up his workspace(Default workspace provided by k2) but he does not need to provide the credentials.

Any suggestion how to by pass the login page.

Thanks in advance
The standard login.htm page just redirects to the workspace with the following URL:
http:///K2V3/Workspace/Workspace.aspx?ServerName=[MyK2Server]&Connstr=[;];Authentication=External;User=[MyUserName];Password=[MyPassword]

So, assuming that the user already logged on with the same credentials as is present in the SQLUM db, you should be able to redirect successfully.

Yes, Yes, I know it is sent in clear text. Remember, the SQLUM was originally written as an example implementation of a custom user manager only and was NEVER intended for a secure environment. If you need to secure it, you'll have to do some customization.

Regards,
Ockert

Hey

Thanks , is there any way to bypass k2.net login screen while using AD. If i do not use sql user manager instead use AD. Can i bypass it


Thanks in advance.
Looking forward to hear from you
Any Help ?
If you use AD, you should be using Integrated Windows Authentication. If IE is setup correctly (i.e. Enable Integrated Windows Authentication, K2V3 in Local Intranet or Trusted Sites AND Logon with current username and password), your users should NOT be presented with a Login dialog box.

Regards,
Ockert
Hi Again ,

Thanks for the reply man. Dialouge box is gone , but it always log on as an administrator. Actually in my project workspace page is under a login page.

Once user login with his credentials which i check up with sql server(nothing to do with k2) i have stored his ad user name and password. So once he click on to workspace link he should see his workspace, but as of now that is not happening.

When i click on it logs on as an administor by default. But if run ie as some other user it runs fine.

Do i have to impersonate identity of logged on user....

Thanks in advance..
Regards
Workspace will by default impersonate the identity of the logged-on user. So, after you're custom login page has checked the user's credential against the database, Workspace will not know anything about this - except who the logged-on user on the machine is (or the user running IE).

But if run ie as some other user it runs fine.

Isn't this exactly what you want?

Regards,
Ockert

Hi Again

I am sorry "But if run ie as some other user it runs fine." i wrote it wrong.

What i mean is that it always Runs as administrator. If i run Internet exp as some other user it logs in ..but that's not an option. Since user is already logged i can't ask user to run ie again with his credentials to login to workspace.

If i open ie with using run as option it log on as default user.

So wht i need to do is that when user log on to my login page and do some stuff and when user clicks on workspace link k2 should open his worklist items (Which is not happening as it always opens up default logged on user)

Thanks in advance
Yes, the 'Run as...' option in IE should also not work because K2.net is not checking the context in which the browser executes but rather the logged on user - as stated earlier.

Is the username and password stored in your SQL database the same as the username and password in AD?

I think your problem is with development and testing on the same machine. If you test your application from a different client machine - logged on as a different user - everything should work fine.

Let me know,
Ockert
Same question asked previously here

http://forum.k2workflow.com/viewtopic.php?t=272&highlight=pass+login+pagw

Suggestions anyone ?????

Thanks in Advance
Sorry for my ignorance but on both occasions somebody responded with some suggestion on your questions, with no response back from your side.

In the current post Ockert made a couple of suggestions, did it help?
In the other DC made a couple of suggestions, did it help?
Hi r

I appreciate you replying back but it does not seems to work.

There are chances that many users will be sharing same computers and can open worklist from some other user account , iin that case they will always see workspace of logged on user.

I would really appreciate you could suggest a way out.

I would again summarize the problem so that you can understand better.

I have login page let's say login.aspx

user provides credentials i check up with ad and make sure that his credentials are same as mentioned in ad.

Once logged in he see something myjoblist.aspx

in this page he has different links like ... my claims , my jobs and last one my workspace which point to k2. net default worksapce.

My problem starts when i click on that link it ask me to fill in username and password. Since user is already logged on i can't ask again for username and password. Other way around is if i add k2 worksapce in trusted sites then it would not ask but will open workspace for logged on user.......cannot implement this either. since many users can use same login id(for windows logon).

I would really appreciate if you could come up with any suggestions
Thanks in advance
Hi,

SECTION 1 discusses my opinion with the implementation as explained and my concerns against this type of implementation
SECTION 2 discusses how you can implement the design as explained

😃 Feel free to skip to SECTION 2 if you are not interested in my concerns 😃

SECTION 1
I can understand your business case; however this really defeats the object of having a system making use of integrated windows authentication. The idea behind integrated auth is to be able to log onto your PC once, from that point onwards you can access all other resources without having to specify any credentials. I have a problem with solutions that pass user names and password around in clear text or even as part of URL s because of the security risk.

I have login page let's say login.aspx
user provides credentials i check up with ad and make sure that his credentials are same as mentioned in ad.

K2.net already does this for you, provided that you are playing the role of the current logged-in user.

Once logged in he see something myjoblist.aspx

Is this Work Items assigned to the user by K2.net 2003? If so we are busy with functionality that K2.net is designed for. Have a look at K2ROM documentation, connect to the K2.net Server using something like myCon.Open( ServerName ) K2.net knows how o auth the current logged-in user with AD, if the user is valid K2.net will allow the connection. Now all you need to do is retrieve a list of Work Items assigned to the user.

in this page he has different links like ... my claims , my jobs and last one my workspace which point to K2.net default workspace.

Claims, Jobs . I see this as different K2.net Processes, so when you retrieve the users Worklist group it by Process Name of make use of K2ROM.Worklistcriteria to filter the Worklist by the appropriate Process. The last link that point to Workspace: well use the standard URL and let K2.net decide whether the current logged-in user is valid or not and also what he can and cannot see in the Reports.

cannot implement this either. since many users can use same login id(for windows logon).

I have a couple of questions/suggestions on this:

1. How do you distinguish between Bob and Joe? K2.net assigns work to a specific user e.g. Bob and when that user is logged-in K2.net know what to expose to this use Reports as well as Worklist.
2. What account will the user use to log into the system we are discussing? Is this an AD account? If users are sharing the same AD account why would you want them to sign into the new system with a unique account? If we know require users to make use of unique accounts I think it is also time to get them to sign into the PC with that account.

IMO I don t think we should re-write a system that is implemented on an Industry Standard because we are doing things different, maybe we should change our day to day operation to work closer to the approved standards.

SECTION 2
Having said all of that, if you need to implement the system as explained I would recommend you to make use of the SQL User Manager instead of the AD User Manager. The SQL User Manager will allow you to do exactly what you need to based on your explanation. Visit the Partner and Customer Portal and download the SQL User Manager, the documentation included in the download explains the implementation of the SQL User manager as well as how to Log into Workspace, Worklist, K2.net Server ..

Please note: Using the SQL User Manager will limit K2.net to not be compatible with some components that rely on Integrated Windows Authentication.

Hey Again ,

Well let me clarify more ...

I cannot use windows authentication as not accepted by my client.

User visit login.aspx

User fill in credentials here , once he's clean i allow him to go to myjobslist.aspx page.

in this page he has different links like ... my claims , my jobs and last one my workspace which point to K2.net default workspace.

My claims and my jobs is not k2 process. Under all of this he see a link My Workspace. Once he click on my workspace i need to redirect him to k2.net workspace so that he can check his worklist items and do some approvals and stuff.

Here is the problem when he clicks on my work workspace

a window pops up where he need to fill in user name and password again
Or
i add k2 workspace site in trusted site ..so no window apprears. so default logged on user logs onto workspace.

E.g. bob is logged on to machine but his friend lenin comes and opens my appliations fills in user details and clicks on my workspace. k2 will open up workspace for bob not for lenin.

I tried to use clear user credentials in url but it shows strange behaviour. When you run it first time it says .."Unauthorized access or something" but if i hit again ..it goes in ....logs in to k2 workspace with user credentials provided below .!!!

<!-- This block will execute when user hit on my workspace link in myjoblist.aspx-->

Dim _Url As String = "http://www.k2mega.local/k2v3/workspace/Workspace.aspx?ServerName=k2megasrv&Connstr=[;];Authentication=Windows;Domain=" & System.Configuration.ConfigurationSettings.AppSettings("DomainForRedirectUrl") & ";User=" & _AdUser & ";Password=" & Me.txtPwd.Text & ""

Response.redirect(_Url)

<!---ends here--->

So how can i make sure that when i enter above url it does not throw error first time.. ??

I mean subsequent hits is fine but when i hit first time it throws error.
;Authentication=Windows;Domain=K2mega;User=JackYu;Password=k2pass

This sounds like a classical case of Windows Server 2003 SP1, have a look at the following KB Article: http://kb.k2workflow.com/Articles/KB000098.aspx locate the Step-by-Step Problem Resolution - NTLM and follow the 7 steps.

Hey R

No i did follow th steps in the article but does not seem to work.

I see "The request failed with HTTP status 401: Unauthorized" this error when i try to run
http://www.k2mega.local/k2v3/workspace/Workspace.aspx?ServerName=k2megasrv&Connstr=[;];Authentication=Windows;Domain=K2mega.local;User=patrick;Password=k2pass but subsequent request to same url opens workspace.

Any suggestions ?
Thanks in Advance
It sounds like a caching problem to me...

Make sure you're users (either 'Authenticated Users' or individual users) has got 'Modify' permissions on the 'C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET Files' and ''C:WINDOWSTemp' folders.

Regards,
Ockert
Hi,

I ve tested this solution on more than one VPC and also our production environment and it works 100%. I have not tested it on the Training VPC but my guess is that it is something specific to the Training VPC, have you tried it with others users on the VPC e.g. CarolM?

Please try this solution on a different VPC or Environment.
Hey

I tried by giving permissions to individual users to both the folders mentioned by "ock" and i also tried to open it with some other users like carolm or duncanj still problem persists.

It throws error "The request failed with HTTP status 401: Unauthorized"
but if i again copy and paste conenctionstring it logs in. ???

Thanks in advance.!!
Please try this solution on a different VPC or Environment.

Have you tried this?
What is the outcome?

Reply