This is probably due to incorrect kerberos config -
I have K2 running in an NLB cluster (2 servers) I export my processes to the cluster with no problem. If I try and change the authentication scheme to Kerberos only I get the error in the service manager itself "Auth with server failed".
Im using K2 2003 Sp3
I have registered an SPN for the cluster manually. I notice if I try this from the K2 service manager it creates an SPN for the machine and not the cluster - so I always delete the extra SPNs (doesn't work anyway if I leave them in).
If I select "Kerberos, NTLM" in the Service Manager - I can connect with my workspace but I see in the Server console that NTLM is used.
I then try and connect from an ASP.Net 2.0 app on another server (that's why I need kerberos) and I see in the Service console that NTLM is used with ANONYMOUS. So no connection.
The ASP.Net Application also works independantly with SQL server on another box and that successfuly does Kerberos.
My SPNs for the K2 cluster looks like this:
K2Server2003/K2ClusterName domainheavyprivilegeduser
K2Server2003/K2ClusterName.mydomain.c domainheavyprivilegeduser
Any help would be appreciated.
Page 1 / 1
Hi,
I managed to get a bit further with this. When browsing to the workspace I see now that Kereberos is used. The only thing I did was disable "Allow anonymous access" on the User Manager tab of the Service Manager properties.
However I still have the problem that my web application uses NTLM - or appears to - at least that's what I see in the Service console.
I have 1 ASP.Net 2.0 App on Server A. This server is trusted for delegation and IIS uses Negotiate and there is an SPN for this website. The first thing the app does is make a connection to SQL server and get some data - completely independant of K2. The Security Event Logs on the IIS Server (Server A) and on the SQL Server (Server
both show that the transaction is done over kerberos.
The next step is to try and read the K2 worklist from the application - we see that this uses NTLM in the Service console. We read the worklist with the K2ROM - does this need any specific configuration?
I managed to get a bit further with this. When browsing to the workspace I see now that Kereberos is used. The only thing I did was disable "Allow anonymous access" on the User Manager tab of the Service Manager properties.
However I still have the problem that my web application uses NTLM - or appears to - at least that's what I see in the Service console.
I have 1 ASP.Net 2.0 App on Server A. This server is trusted for delegation and IIS uses Negotiate and there is an SPN for this website. The first thing the app does is make a connection to SQL server and get some data - completely independant of K2. The Security Event Logs on the IIS Server (Server A) and on the SQL Server (Server
both show that the transaction is done over kerberos.The next step is to try and read the K2 worklist from the application - we see that this uses NTLM in the Service console. We read the worklist with the K2ROM - does this need any specific configuration?
I thought I 'd post how far I've come in case anyone else needs any hints.
I now have a situation where kereberos works fully but only to specified servers in the cluster. That is I use an SPN for one of my K2 servers (any one - doesn't matter) and remove the SPN for the cluster. This works. But I also had to go to the "User Manager" tab on the K2 Server (in thsi cluster) properties and uncheck the "Use Anonymous" checkbox. During server registration I specify "Kerberos,NTLM" and make sure anonymous is not set -but the checkbox on the "User Manage" tab remains checked.
My only issue now is to figure out why when using an SPN for a the cluster, kerberos stops working and goes back to NTLM. So this means at the moment I'm not using a clustered k2 service.
I now have a situation where kereberos works fully but only to specified servers in the cluster. That is I use an SPN for one of my K2 servers (any one - doesn't matter) and remove the SPN for the cluster. This works. But I also had to go to the "User Manager" tab on the K2 Server (in thsi cluster) properties and uncheck the "Use Anonymous" checkbox. During server registration I specify "Kerberos,NTLM" and make sure anonymous is not set -but the checkbox on the "User Manage" tab remains checked.
My only issue now is to figure out why when using an SPN for a the cluster, kerberos stops working and goes back to NTLM. So this means at the moment I'm not using a clustered k2 service.
Reply
View our Community Site Map
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.