Symptoms

You may observe an issue with K2 smartforms interface when none of the forms are loading due to some authentication failure.
You checked the status of domain controller is being used by K2 server based on domain controller name in error message at the same time you see that base OS/Windows Server is connected to another Domain Controller which is active.

Sample error message:

Error
An error occurred trying to authenticate the user.

More Details

Exception Details:
System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The server is not operational. Name: "dc.domain.com" ---> System.Runtime.InteropServices.COMException: The server is not operational. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName) --- End of inner exception stack trace --- at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEnt
 

Diagnoses

Based on discription above it looks like K2 keeps using broken Domain Controller. At the same time you may notice that K2 workspace works fine at the time when you have this issue with K2 smartforms. This is because Designer, Runtime and ViewFlow web applications in K2 are using the newer WindowsSTS redirect implementation (http://k2.denalilx.com/Identity/STS/Windows) whereas K2 Workspace still uses "Windows Authentication".

I.e. you may see that K2 workspace uses windows authentication and in its web.config file ADConnectionString is configured as "LDAP://domain.com", for WindowsSTS K2 label is being used, i.e. "LDAP://dc=domain,dc=com"

You may see aforementioned error occurring on the redirect to "http://k2.domain.com/Identity/STS/Windows/"

There is a known issue with Windows STS implementation in K2 when exception on GetGroups causes user authentification to fail on Windows STS this issue is fixed in 4.6.10 but there is still open TFS item to improve error handling with the aim to catch exceptions caused by temporary unavailability of DC and then have STS retry again. In cases where the DC is inaccessible for a short interval for unknown reasons the retry will then connect successfully. 
 

Resolution 

Restart of K2 server/services resolves this issue. Additionally there is an existing feature request to catch these exceptions and have the STS retry again should the DC becomes inaccessible for a short interval for unknown reason (request ID 543801).