Symptoms
When I execute some of the URM SmartObject method calls – eg: Find Group Users, Get Groups -- using the SmartObject Tester, the results that I get on one K2 server (our production server) are inconsistent with the results that I get on another K2 server (our development server), even though both K2 servers are pointing to the same Active Directory. When I run Find Group Users on one server, I get 35 results on the other I get no results. Both K2 servers have the same build. Refreshing the K2 Identity Service on the production server did not resolve the issue. Both servers use different service accounts for K2 however, both service accounts have access to Active Directory. When I look at the host server log, I see a number of error messages stating that the IdentityService.ProviderCacheIdentity:GroupProvider could not find a specific group or groups (eg: 64007 Provider did not return a result for K2:DENALLIXPORTAL Users on GetGroup"). Yet each group listed does indeed exist.
Diagnoses
We determined that there was a Sharepoint Group Provider registered with the same name as the K2 label domain Netbios, i.e. DENALLIX this resulted in the K2 security label not being able to resolve group memberships. When registering a K2 for Sharepoint 2013 App against a site, if the Site Title is the same as the Netbios (DENALLIX) a group provider will be automatically creating during the running of the App Registration Wizard with this value and will cause issues with group resolutions. The Site Title where the K2 App is added and registered should not be the same as the domain Netbios.
To prevent this issue, please rename the Site Title prior to the running of the K2 App Registration Wizard.
To resolve this issue if the App Registration Wizard had already been ran, if possible/applicable, both the Sharepoint Site Title and group provider should be renamed to a matching value that does not conflict with the domain NetBios.
Resolution
To resolve the issue, the group provider name was manually changed via the K2 database > &HostServer].vGroupProvider] table, to not be the same as the domain NetBios, and a restart of the K2 blackpearl server service was performed. It may also be necessary to expire this group's membership using the Identity Refresh tool and then execute the UMUser > Get Group Users method (twice) to affect this update. A K2 database backup is recommended before making any changes directly in the K2 database.
In this case, the Site Title was not renamed. The fall-back to also not renaming the Site Title is that the next time that the K2 App is upgraded on this site or the K2 App Registration Wizard re-ran for this "DENALLIX" site another group provider entry will be created with the same "Netbios" name (and as such it will again cause group resolution errors) this entry will need to be removed via database manipulation each time the K2 App in this site is upgraded or the K2 Registration Wizard re-ran.
A documentation update TFS request was also logged regarding this behavior, and stems from the KB: http://help.k2.com/kb001257
"The label name of the SharePoint group provider should not be same as the NetBIOS (shortname) for an Active Directory domain, as it will interfere with the URM Server when it tries to resolve AD Groups."