hi all,
In IIS when i use the setting of Basic Authentication, i am able to browse my workspace after keying in my credential. however, it gives 401 error when the security setting in IIS change to Integrated Windows Authentication. Please advise the possible cause or any settings i need to configure for integrated windows.
Page 1 / 1
Hi,
Please change the K2 Workspace's web.config file (C:Program FilesK2.net 2003K2WSWorkspaceWeb.config) from <customErrors defaultRedirect="Error_Page.htm" mode="On" /> to <customErrors defaultRedirect="Error_Page.htm" mode="Off" />.
Please review the stack trace error for some useful information. You can also post the trace for me to assist you in this matter.
Please change the K2 Workspace's web.config file (C:Program FilesK2.net 2003K2WSWorkspaceWeb.config) from <customErrors defaultRedirect="Error_Page.htm" mode="On" /> to <customErrors defaultRedirect="Error_Page.htm" mode="Off" />.
Please review the stack trace error for some useful information. You can also post the trace for me to assist you in this matter.
Hi Renier,
Here's the Stack Trace:
[WebException: The request failed with HTTP status 401: Unauthorized.]
Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack) +902
Workspace.Net.Report.Page_Load(Object sender, EventArgs e) +350
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +750
Here's the Stack Trace:
[WebException: The request failed with HTTP status 401: Unauthorized.]
Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack) +902
Workspace.Net.Report.Page_Load(Object sender, EventArgs e) +350
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive() +35
System.Web.UI.Page.ProcessRequestMain() +750
Hi Iyven,
This could be caused by a number of problems/issues - anything from Operating systems, Network problems, distributed environment, etc. Please submit an official support request on http://portal.k2workflow.com
Regards,
Ockert
This could be caused by a number of problems/issues - anything from Operating systems, Network problems, distributed environment, etc. Please submit an official support request on http://portal.k2workflow.com
Regards,
Ockert
Hi,
I am having the same problem and below is the stack trace:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: An anonymous identity cannot perform an impersonation. at System.Security.Principal.WindowsIdentity.Impersonate(IntPtr userToken, WindowsAccountType acctType) at System.Security.Principal.WindowsIdentity.Impersonate() at WorkSpaceService.FilterService.CreateSession(String ServerName, String Connstr) --- End of inner exception stack trace ---
Please help.
REgards,
Check Leam
I am having the same problem and below is the stack trace:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: An anonymous identity cannot perform an impersonation. at System.Security.Principal.WindowsIdentity.Impersonate(IntPtr userToken, WindowsAccountType acctType) at System.Security.Principal.WindowsIdentity.Impersonate() at WorkSpaceService.FilterService.CreateSession(String ServerName, String Connstr) --- End of inner exception stack trace ---
Please help.
REgards,
Check Leam
Hi,
Once again, this can be caused by any one or a combination a different configurations. Things to check:
1. If your K2.net 2003 Server and IIS resides on 2 different machines, you'll have to enable Kerberos authentication - please refer to the following Knowledge Base article - http://kb.k2workflow.com/Articles/KB000030.aspx
2. Make sure your Directory Security on your K2V3, Workspace and WorkspaceService sites are all set NOT to allow Anonymous access but ONLY Integrated Windows Authentication in IIS.
3. Also make sure that the three mentioned sites all run under the same Application Pool and the identity used to execute the AppPool is either set to Network Service, Local System or preferrably a dedicated domain account.
4. Make sure all instances of Internet Explorer (IE) are version 6 or higher.
5. Make sure that 'Enable Integrated Windows Authentication (requires restart)' is checked in IE - Tools | Internet Options | Advanced.
These are only the first five things (I could quickly think of) to check but the problem could still be caused by something else.
If the problem persists, please contact your local K2.net Support Desk.
Regards,
Ockert
Once again, this can be caused by any one or a combination a different configurations. Things to check:
1. If your K2.net 2003 Server and IIS resides on 2 different machines, you'll have to enable Kerberos authentication - please refer to the following Knowledge Base article - http://kb.k2workflow.com/Articles/KB000030.aspx
2. Make sure your Directory Security on your K2V3, Workspace and WorkspaceService sites are all set NOT to allow Anonymous access but ONLY Integrated Windows Authentication in IIS.
3. Also make sure that the three mentioned sites all run under the same Application Pool and the identity used to execute the AppPool is either set to Network Service, Local System or preferrably a dedicated domain account.
4. Make sure all instances of Internet Explorer (IE) are version 6 or higher.
5. Make sure that 'Enable Integrated Windows Authentication (requires restart)' is checked in IE - Tools | Internet Options | Advanced.
These are only the first five things (I could quickly think of) to check but the problem could still be caused by something else.
If the problem persists, please contact your local K2.net Support Desk.
Regards,
Ockert
Hi,
I manage to solve the problem by disable the loopback of the server which running on windows 2003 SP1.
The steps that i perform are as below
Step-by-Step Problem Resolution
NTLM
Follow these steps to disable the loopback check:
1. Click Start | Run and then type regedit , and click OK .
2. In Registry Editor, locate and then click the following registry key: KEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
3. Right-click Lsa , point to New, and then click the DWORD value.
4. Type DisableLoopbackCheck , and then press Enter .
5. Right-click DisableLoopbackCheck , and then click Modify .
6. In the Value data box, type 1, and then click OK .
7. Quit Registry Editor, and then restart your computer.
For more information on these steps please refer to the following Microsoft KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;896861
Caution: Please be advised that only those familiar with editing the registry should perform this step. If used incorrectly or if incorrect changes are made, this may cause your installation of Windows not to function correctly and may require the operating system to be reinstalled. K2,net 2003 and the Microsoft corporation do not accept any liability for loss of data or damage to systems or intellectual property should the system fail or not function correctly as a result of editing the registry. You are advised that you edit the system registry entirely at your own risk.
You can find these steps in article KB000098 of K2 knowledgbase .
I manage to solve the problem by disable the loopback of the server which running on windows 2003 SP1.
The steps that i perform are as below
Step-by-Step Problem Resolution
NTLM
Follow these steps to disable the loopback check:
1. Click Start | Run and then type regedit , and click OK .
2. In Registry Editor, locate and then click the following registry key: KEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
3. Right-click Lsa , point to New, and then click the DWORD value.
4. Type DisableLoopbackCheck , and then press Enter .
5. Right-click DisableLoopbackCheck , and then click Modify .
6. In the Value data box, type 1, and then click OK .
7. Quit Registry Editor, and then restart your computer.
For more information on these steps please refer to the following Microsoft KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;896861
Caution: Please be advised that only those familiar with editing the registry should perform this step. If used incorrectly or if incorrect changes are made, this may cause your installation of Windows not to function correctly and may require the operating system to be reinstalled. K2,net 2003 and the Microsoft corporation do not accept any liability for loss of data or damage to systems or intellectual property should the system fail or not function correctly as a result of editing the registry. You are advised that you edit the system registry entirely at your own risk.
You can find these steps in article KB000098 of K2 knowledgbase .
Hi Iyven,
What version of K2.net are you running?
What version of K2.net are you running?
Hi Renier,
The version i am using is K2.NET SP2a
The version i am using is K2.NET SP2a
I tried disabling the loopback editor like Iyven suggested and that solution did not work for my 401 error. Does anyone else have a suggestion as to how to solve this issue?
This issue comes up all the time - it really depends on your environment - if you open a support ticket - it will be easier to know how to advise you.
You can read Kb 98 and Kb 123 for starters.
I would suggest the following configuration (but note it is not the only way to make things work)
assumptions:
All things K2 are on the same box
You have a domain account (k2svc) created to run your k2 services
--In windows services - check the properties of the k2service
k2 service = logon set to k2svc
--In IIS manager check the properties of the k2v3 vir dir
ensure the K2v3 webapp runs under a k2apppool with the identity set to k2svc
ALSO ensure that all the vir dirs UNDER k2v3 run under that same k2apppool (workspace, workspaceservice, infopathservice...)
--In computer management - users and computers
That k2svc domain account - must be in both the
iis_wpg group and the local admin group on the k2 box
--In Enterprise manager
The k2svc account must be a security login in sqlserver and must be the dbo of the k2 and the k2log databases.
--In Windows Explorer
The web.config file for the workspaceservice (c program files k2.net 2003 k2ws) must be set up for sspi and impersonate must be set to false.
--In k2service manager, under database settings
the k2 service is using WIA
--In regedit (start run)
Disable the loopback check
1. create a registry key under Lsa (see kb98)
2. ensure the key is spelled correctly with the correct case
*** DisableLoopbackCheck ***
3. the value is set to 1
4. be sure to reboot the k2 box after setting the registry key
-- In windows explorer
ensure that authenticated users (a local group on the k2 box) have modify rights to both the following folders...
1. c windows temp
2. c windows msft.net framework 1.1... temporary aspnet
--In a browser
ensure you can browse the workspace service - WITHOUT getting prompted - if not, then the workspace won't be able to get info from this service to populate the reports - and it will get the 401
(http://k2servername/k2v3/workspaceservice/filterservice.asmx)
To troubleshoot being prompted for creds...
--In IE - tools ->internet options
Ensure that the client settings in IE are set up for pass-through authentication:
1. under advanced - enable integrated authentication (scroll to the bottom)
2. under security -> select local intranet -> click on Custom level -> scroll to the bottom and make sure the raio button for auto ogon with currwnt uname and password is checked
If that doesn't solve it then you will probably need kerberos set up ---
read kb 123
hope that helps
You can read Kb 98 and Kb 123 for starters.
I would suggest the following configuration (but note it is not the only way to make things work)
assumptions:
All things K2 are on the same box
You have a domain account (k2svc) created to run your k2 services
--In windows services - check the properties of the k2service
k2 service = logon set to k2svc
--In IIS manager check the properties of the k2v3 vir dir
ensure the K2v3 webapp runs under a k2apppool with the identity set to k2svc
ALSO ensure that all the vir dirs UNDER k2v3 run under that same k2apppool (workspace, workspaceservice, infopathservice...)
--In computer management - users and computers
That k2svc domain account - must be in both the
iis_wpg group and the local admin group on the k2 box
--In Enterprise manager
The k2svc account must be a security login in sqlserver and must be the dbo of the k2 and the k2log databases.
--In Windows Explorer
The web.config file for the workspaceservice (c program files k2.net 2003 k2ws) must be set up for sspi and impersonate must be set to false.
--In k2service manager, under database settings
the k2 service is using WIA
--In regedit (start run)
Disable the loopback check
1. create a registry key under Lsa (see kb98)
2. ensure the key is spelled correctly with the correct case
*** DisableLoopbackCheck ***
3. the value is set to 1
4. be sure to reboot the k2 box after setting the registry key
-- In windows explorer
ensure that authenticated users (a local group on the k2 box) have modify rights to both the following folders...
1. c windows temp
2. c windows msft.net framework 1.1... temporary aspnet
--In a browser
ensure you can browse the workspace service - WITHOUT getting prompted - if not, then the workspace won't be able to get info from this service to populate the reports - and it will get the 401
(http://k2servername/k2v3/workspaceservice/filterservice.asmx)
To troubleshoot being prompted for creds...
--In IE - tools ->internet options
Ensure that the client settings in IE are set up for pass-through authentication:
1. under advanced - enable integrated authentication (scroll to the bottom)
2. under security -> select local intranet -> click on Custom level -> scroll to the bottom and make sure the raio button for auto ogon with currwnt uname and password is checked
If that doesn't solve it then you will probably need kerberos set up ---
read kb 123
hope that helps
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.