Symptoms
In some cases after upgrading K2 the following errors/warnings are displayed:
1) Warning: The following rights are still required for Impersonation: RoleBased Access Control.
At the end of the analysis page of that warning message it says: "Could not repair, please check if the user ' userAccount]' has sufficient rights to grant the required permissions and that a connection can be made to the Exchange server. Please ensure the Exchange Management Console is installed on this machine"
2) Error: Could not set key access: System.Exception: Could not find certificate: *ceritficate id* in any store. at SourceCode.Install.Common.Classes.Certificates.AddAccessToCertidicate(....."
-I am not sure what certificate this means
Diagnoses
Warning _1: Occurs as a result of installation account and or k2 service account not having enough permissions on Exchange.
Error _2: Occurs as a result of k2 service account not having permissions (read) on the certificate.
Resolution
Warning _1:
This can be resolved by ensuring that the account being used for installation has the following permissions:
This account should have View-Only rights for Exchange to be able to browse Exchange servers and mailbox databases.
Also give the account Execute rights on the Microsoft.PowerShell configuration, by running the following command in the Exchange Management Shell: Set-PSSessionConfiguration Microsoft.PowerShell –ShowSecurityDescriptorUI
also that the K2 service account has the following permissions:
The K2 Service Account needs “ApplicationImpersonation” rights.
For Enable/Disable mailbox the account used to install the option needs to be part of the “Organizational Management” or “Recipient Management” role group or create the account as a “Global Administrator”.
Also give the account Execute rights on the Microsoft.PowerShell configuration, by running the following command in the Exchange Management Shell: Set-PSSessionConfiguration Microsoft.PowerShell –ShowSecurityDescriptorUI
Reference KB: http://help.k2.com/kb001189
Error _2:
The error is usually resolved as follows:
Open up the certificate store on the K2 server and look for a certificate with a Friendly name starting with K2 Self Signed Certificate. Double click on the certificate, click on the Details tab, and scroll down to check the Thumbprint. Once you find the certificate that matches the thumbprint in that error right click on it and select Manage Private Keys and make sure the K2 service account and the identity of the application pools for the K2 sites have full control to it.
Example:
Go to server -> click Start -> Run -> type mmc -> enter -> select Certificates snap-in with Local Computer option -> Go to Console Root-> Certificates-> Personal-> Certificates-> Select a cert-> Right click-> Go to All tasks-> Manage Private Keys-> Add permissions
BUT If the accounts already have permissions, the error can be safely ignored.
