I am experiencing some issues that I am having where a logged in user to SharePoint updates a document. This document then calls the ItemUpdated EventReceiver
that contains some custom code to call a K2 Process instance. The code runs as the K2 Service Account (k2_svc_act) regardless of the logged in user. This works fine in my development
environment however when moving to Test I get the following error. The k2_svc_act already has permission to start the process in question.
For Reference...
K2 Server - A1
SharePoint Server - A3 and A4
Event Source: StartWorkflowFromContentType
Computer: A4
Message: 28026 K2:NT AUTHORITYANONYMOUS LOGON does not have permissions to impersonate user k2_svc_act
at SourceCode.Workflow.Client.InternalConnection.Call(ArchiveX ar, MessageType msgtype)
at SourceCode.Workflow.Client.InternalConnection.CallFunction(ArchiveX ar)
at SourceCode.Workflow.Client.Connection.ImpersonateUser(String UserName)
at ACME.EMS.Services.TaskController.Start(SPListItem listItem, String currentSite)
at ACME.EMS.Services.K2Helper.StartWorkflowFromContentType(SPListItem contentType, String currentSite)
After doing some investigation I found out this is due to Kerberos issues (the sharepoint_svc_act account has the ability to kick off the process in question). So when I turned on Kerberos logging I found the following issue...
Event Type: Error
Event Source: Kerberos
Computer: A4
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 19:35:49.0000 1/5/2011 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000272 KLIN(0)
Client Realm:
Client Name:
Server Realm: ACME.NET
Server Name: K2Server/A1:5252
Target Name: K2Server/A1:5252@ACME.NET
Error Text:
File: 9
Line: b22
Error Data is in record data.
Then realizing the issue I looked into Kerberos by comparing my development environment (where this working) and the test environment and saw that my SharePoint service account where the custom code gets initiated (A4) did not have access to the K2Server service on my K2 Server (A1).
So I followed this by setting the SPNs
Setspn –A K2Server/A1 ACMEsharepoint_svc_act
Setspn –A K2Server/A1.ACME.NET ACMEsharepoint_svc_act
That updated successfully, however when going to AD and then the delegation tab for my sharepoint_svc_act account the K2Server service type does not appear in the list. In order for my custom code located on my SharePoint servers (A3 and A4) I asssume that I need my SharePoint service account (sharepoint_svc_act) to have access to the K2 Server service on the K2 Server (A1). K2 for SharePoint is installed on both my SharePoint servers so all the appropriate K2 dlls should be registered. However how do I add this service so that it appears in the Service Type list?