Symptoms
We would like to switch the Windows authentication mode to the Forms authentication mode for the K2 Runtime site.
We followed the steps in the "K2 smartforms Security and Authentication" document (help.k2.com/files/4608).
Here the steps we did :
- Open the web.config of the K2 Runtime web site (C:Program Files (x86)K2 blackpearlK2 smartforms Runtimeweb.config)
- Change "authentication mode" to "Forms"
- Change "windowsAuthentication enabled” to "false"
- Ensure "ConnectAsAppPool" is set to "false"
- Ensure "Deny users" is uncommented and "allow users" is commented
- IISReset restart K2 blackpearl server service
- Go to IIS to see all the authentications are correct (Anonymous Forms authentication enabled)
- Add a new user to Active Directory
- Run IE as a different user (new user), delete all cache and cookies
- Go to a smartform runtime URL (http://www.contoso.com/Runtime/Runtime/Form/FormName/)
First time we have the windows security popup showing to enter login password. If we click Cancel and do a F5, the smartform loads without showing the windows security popup again and everything works well.
First question : Why is the windows security popup is not showing each time we refresh until we have not entered the user login and password?
Second question : How to show the Forms login.aspx page rather than the windows security popup?
We are working on a VM with :
- SQL Server 2008 standalone installation
- K2 4.6.8 standalone
- logged on as administrator
Diagnoses
There are more configuration steps to follow, please see the resolution.
Resolution
Please check your current Claims, Issuers and Site Realms settings. You would do that by browsing to your K2 Designer, then expanding the following nodes:
All items -} System -} Management -} Security -} Forms -} then select either the "Manage Claims" "Manage Issuers" "Manage Site Realms"
Double-check all your settings are correct. Change your K2 Designer / Runtime / ViewFlow URI's to use either K2 Windows STS or K2 Forms STS (or both). It's not necessary to restart the K2 Host Server after making these changes, however if you change anything in the K2 database (which is not recommended) you will have to restart K2.
Since 4.6.8, there is a separate K2 Token Issuer Service which runs in the background along with the K2 Host Server service, this solves some problems regarding forced impersonation. Also make sure that this service is running.
Please contact support if you are still struggling with this.