Symptoms
After upgrade from version older than 4.6.9 to 4.6.9 or newer you observe lots of the following errors in K2 host server log:
Error - 10702 An error occurred in the SharePointGroupsService Service Instance. The request failed with HTTP status 401: Unauthorized
There were no such errors logged prior to upgrade and platform functionality does not seem to be impacted.
Diagnoses
By looking at logs it is possible to see that these errors are generated prior to retry as a service account. I.e. you will see something like this in host server log:
First goes an error:
10702 An error occurred in the SharePointGroupsService Service Instance. The request failed with HTTP status 401: Unauthorized.
Next item logged is:
10700 Service Broker will retry the SharePointGroupsService Service Instance as the K2 Service Account, in case failure was due to delegation issues.
And the next one is being logged after successful execution with the service account:
10046 SmartObject execution event raised successfully.
This is expected behavior - PTA (Pass-Through Authentication) will only kick in when a 401 error occurs. The server looks out for this error and the second it happens it will 'fall back' to the K2 service account.
You do not see these errors in K2 host server log on default logging level in versions K2 older than 4.6.9. This is due to a change in 4.6.9 to not swallow/hide any ADUM/Identity errors anymore when using "ClientWindows/K2 pass-through" authentication.
Resolution
In cases when it is acceptable you may consider switching SharePointGroupsService Service Instance from Impersonate to Service account. These errors also should not be logged in environment where Kerberos is configured.