Skip to main content

We are using Windows Authentication for all our Smartform apps. We would like to use Mobile Iron's Web@Work on mobile devices to access the apps. This requires the fully qualified domain name to be used everywhere. e.g. http://server.domain.com:81 instead of http://server:81 Tracing a request shows the following

 

As you can see, the HTTP 302 uses a Location: http://workflow-qa:81 which does not use the domain name.

 

How can I make it add the domain name to the 302 redirect so Mobile Iron is able to complete the authentication handshake?

--2016-12-08 09:03:27--  http://workflow-qa.domain.com:81/Runtime/Runtime/Form/XXXX
Resolving workflow-qa.domain.com... 172.18.1.139
Connecting to workflow-qa.domain.com|172.18.1.139|:81... connected.
HTTP request sent, awaiting response... 302 Found
Location: /Runtime/_trust/Login.aspx?ReturnUrl=XXXX Xfollowing]
--2016-12-08 09:03:27--  http://workflow-qa.domain.com:81/Runtime/_trust/Login.aspx?ReturnUrl=%2fRuntime%2fRuntime%2fFormXXXX
Reusing existing connection to workflow-qa.domain.com:81.
HTTP request sent, awaiting response... 302 Found
Location: http://workflow-qa:81/Identity/sts/Windows/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2fworkflow-qa.domain.com%3a81%2fRuntime%2f&wctx=rm%3d1%26id%3d%26ru%3d%252fRuntime%252fRuntime%252fForm%252fXXXX
--2016-12-08 09:03:27--  http://workflow-qa:81/Identity/sts/Windows/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2fworkflow-qa.domain.com%3a81%2fRuntime%2f&wctx=rm%3d1%26id%3d%26ru%3d%252fRuntime%252fRuntime%252fForm%252fXXXX

 

 

Here is what I tried so far

The 302 Found Location: http://workflow-qa:81/Identity response is generated by K2 Identity Services. I modified the web.config in the Runtime folder to add the domain name to the realm as follows

    <federationConfiguration>
      <cookieHandler requireSsl="false" path="/" />
      <wsFederation passiveRedirectEnabled="false" issuer="http://none" realm="http://workflow-qa.domain.com:81/Runtime/" requireHttps="false" />

I also went to /Runtime/Form/Manage+Site+Realms/ and modified the Realm and Audience URLs to add the domain name. Still didn't solve the Mobile Iron problem. But it broke the SmartForm Designer so I added another realm/audience entry for just the server:port.

 

What am I missing? K2 Support recommended that I reach out to this community/forum to see if anyone has been able successfully integrate K2 Smartforms with Mobile Iron Web@Work using Windows Authentication.

 

Thanks for any help.

I believe this URL (http://workflow-qa:81/Identity/sts/Windows/) may be tied to the 'Issuers' component of K2.  Which version are you currently using?  There may be a "Manage Issuers" form or Claims > Issuers section of the K2 Management Site (depending on the version) where this machine name can be updated to the fully qualified machine name.

If Tin's recommendation doesn't help then also make sure to check the environment library values and make sure the different K2 entries have the full qualified URLs.  After making those changes, if you can you might want to do an IISReset and restart the K2 Service to ensure that the latest values are being retrieved.

Tin - we are on 4.6.11. Where can I find the Manage Issuers section?

Timkn - where can I find the environment library values?

K2 Workspace/Management /Your K2 Server/Enivornment Library/Templates/Default Template and then drill down into your specific enviornment.(that enviornment should match up with the environment you're doing your testing in "Development" for example but depending on how it was setup that might not be the case).

 

Then look at the URL values to make sure they are the Fully qualified URLs (ie. SmartForms Runtime URL etc).

timkn - Got it, I checked all the URL values in the environment, they all use fully qualified domain names.

 

tin - You are right, I went to /Runtime/Form/Manage+Issuers and the Windows STS issuer URI did not have the domain name. I added it but that still doesn't help. Going to a http://server.domain:81/Runtime/Form/.... URL in Mobile Iron Web@Work redirects to /Identity/sts/Windows/.... and Web@Work brower errors out with "a server with the specified hostname could not be found"

 

Looks like the Kerberos authentication token is not being passed along from the MI server to K2 server.  Is the non-standard port (81) the problem? I thought Kerberos delegation applied to the server regardless of port (we have K2 BP apps running on port 80 and they work fine via Mobile Iron Web@Work).

 

Any ideas?

Could you perhaps try one more thing, as the error currently indicate that it is unable to resolve the hostname (likely the K2 server).  That Windows STS site will be mapped to this directory:


 


C:Program Files (x86)K2 blackpearlWebServicesIdentitySTSWindows


 


Please check the 'web.config' file at this directory.  I believe there is a 'HostName' key.   If this is not the fully qualified name, perhaps updating it, performing an IIS reset and retesting.

tin  - I tried that, added the domain name to the HostName key in WebServicesIdentitySTSWindowsweb.config and did the Setup Manager  wizard which includes resetting IIS but still no go. Same error in Web@Work. Any other ideas?

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings