Symptoms
Errored processes not showing up under Error Profiles, All
Diagnoses
_1
I have a set of processes in production that are in an error state but they are not showing up in the error profile, I am unable to retry them or retrieve the error message through Workspace or visual studio
_2
After the move to this new K2 server, the identity service is no longer returning/caching results for group membership even after expiration of the group memberships using the force identity refresh tool.
Resolution
_1
The process instance was in a black 'Error' state (the viewflow shows that it had erred during a email event, possibly due to the resolving of group membership issue in _2 and the use of a destination set), in which a corresponding entry in the "Error Profiles" did not exist for retry execution. One possible method of addressing this issue is to perform "go to activity", if applicable, to re-execute this activity or move the process on to the next activity. Customer will address these error instances in a case-to-case basis.
_2
We added an AD Service2 service instance to test actively querying AD, but this also exhibits the same behavior. For some groups, only partial membership information is returned this also matches the results that the Identity Service was caching. After some further troubleshooting, we also saw a similar behavior when executing the "CheckMaxTokenSize" powershell script against certain working user-group membership (successfully returning results) vs non-working (not returning results):
https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5
This script can be executed using:
.CheckMaxTokenSize -Principals 'username' -OSEmulation $true -Details $true
Customer worked with the AD team and determined that the service account for K2 did not have access to the ‘Member Of’ attribute in Active Directory. It appears the old server had been resolving against a cache, so when we moved to the new server the cache was gone and the resolution stopped. Once we granted access to that attribute for the service account resolution was restored.
