Hello
I have a K2.NET / InfoPath process that works in our test environment. When I deployed it to my newly built dev environment (both are VMWare 2003 SP1 instances in our domain), and I try to start a process via a InfoPath form, I get a message box stating that NT AuthenticationAnonymous cannot start a process.
I ALSO see an entry in my system event log that looks like this:
The Security System could not establish a secured connection with the server K2Server2003/K2covw2k3sps1dev. No authentication protocol was available.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I know that impersonation is working as I can create a WSS site and restrict or allow access to it for a dummy account. I am sure something is not configured correctly.
Could someone point me in the correct direction? Thanks so much in advance.
Cheers, Terry
Page 1 / 1
Hi,
Did a quick Google on the error and it seems that generally this error is associated with a DHCP/DNS misconfiguration. Here's a link with a few comments and suggestions that may help on the error:
http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1
Did a quick Google on the error and it seems that generally this error is associated with a DHCP/DNS misconfiguration. Here's a link with a few comments and suggestions that may help on the error:
http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1
It doesn't seem to be a DNS issue, here is some more information I found...
From the AdumError.log
****************************************************
05-05-06 09:32:56 NameToDN
Could not Resolve the NameToDN because the SamAccountName could not be resolved
at ADUM.Translate.NameToDN(String name)
Additional Information
NameToDN(Name: NT AUTHORITYANONYMOUS LOGON)
05-05-06 09:32:56 GetUser
Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at ADUM.K2UserManager.GetDirectoryEntry(String path)
at ADUM.K2UserManager.GetUser(String Name)
Additional Information
GetUser(NT AUTHORITYANONYMOUS LOGON)
05-05-06 09:32:56 NameToDN
Could not Resolve the NameToDN because the SamAccountName could not be resolved
at ADUM.Translate.NameToDN(String name)
Additional Information
NameToDN(Name: NT AUTHORITYANONYMOUS LOGON)
05-05-06 09:32:56 GetUser
Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at ADUM.K2UserManager.GetDirectoryEntry(String path)
at ADUM.K2UserManager.GetUser(String Name)
Additional Information
GetUser(NT AUTHORITYANONYMOUS LOGON)
****************************************************
from the K2Error.log
****************************************************
05-05-06 09:32:56 User.GetAllRights: Unknown error (0x80005000)
at ADUM.K2UserManager.GetUser(String Name)
at ADUM.K2UserManager.FindSecurityGroups(String User, String Name, String Description)
at SourceCode.KO.User.GetAllRights(String name)
05-05-06 09:32:56 CreateProcessInstance: NT AUTHORITYANONYMOUS LOGON does not have permissions to start the process
at K2Worker.CreateProcessInstance(Object ocon, ArchiveX ar)
****************************************************
from the K2Server.log
****************************************************
05-05-06 09:31:23 Authenticated centralk2workflow using NTLM
05-05-06 09:32:56 Authenticated NT AUTHORITYANONYMOUS LOGON using NTLM
05-05-06 09:32:56 Marshalling: CreateProcessInstance
05-05-06 09:32:56 NT AUTHORITYANONYMOUS LOGON does not have permissions to start the process
05-05-06 09:33:27 Authenticated CENTRALLINDQUISTTK using NTLM
05-05-06 09:33:27 Marshalling: OpenWorklist2
****************************************************
I can see from the server log that I was authenicated (Centrallindquisttk), but just before that, it thought I was anonymous. I know I am the only one on this box at this point.
My network friends have told me there are no DNS issues. However, in the SYSTEM event log the following entry always appears:
****************************************************
The Security System could not establish a secured connection with the server K2Server2003/K2covw2k3sps1dev. No authentication protocol was available.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
****************************************************
Which is really strange because the machine's name is COV2K3SPS1DEV in the CENTRAL domain. There is no machine called K2covw2k3sps1dev and we don't have a K2Server2003 domain.
I am certain something is not configured correctly - but I am having problems where to look. Any help is greatly appreciated.
Thanks! Terry
From the AdumError.log
****************************************************
05-05-06 09:32:56 NameToDN
Could not Resolve the NameToDN because the SamAccountName could not be resolved
at ADUM.Translate.NameToDN(String name)
Additional Information
NameToDN(Name: NT AUTHORITYANONYMOUS LOGON)
05-05-06 09:32:56 GetUser
Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at ADUM.K2UserManager.GetDirectoryEntry(String path)
at ADUM.K2UserManager.GetUser(String Name)
Additional Information
GetUser(NT AUTHORITYANONYMOUS LOGON)
05-05-06 09:32:56 NameToDN
Could not Resolve the NameToDN because the SamAccountName could not be resolved
at ADUM.Translate.NameToDN(String name)
Additional Information
NameToDN(Name: NT AUTHORITYANONYMOUS LOGON)
05-05-06 09:32:56 GetUser
Unknown error (0x80005000)
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at ADUM.K2UserManager.GetDirectoryEntry(String path)
at ADUM.K2UserManager.GetUser(String Name)
Additional Information
GetUser(NT AUTHORITYANONYMOUS LOGON)
****************************************************
from the K2Error.log
****************************************************
05-05-06 09:32:56 User.GetAllRights: Unknown error (0x80005000)
at ADUM.K2UserManager.GetUser(String Name)
at ADUM.K2UserManager.FindSecurityGroups(String User, String Name, String Description)
at SourceCode.KO.User.GetAllRights(String name)
05-05-06 09:32:56 CreateProcessInstance: NT AUTHORITYANONYMOUS LOGON does not have permissions to start the process
at K2Worker.CreateProcessInstance(Object ocon, ArchiveX ar)
****************************************************
from the K2Server.log
****************************************************
05-05-06 09:31:23 Authenticated centralk2workflow using NTLM
05-05-06 09:32:56 Authenticated NT AUTHORITYANONYMOUS LOGON using NTLM
05-05-06 09:32:56 Marshalling: CreateProcessInstance
05-05-06 09:32:56 NT AUTHORITYANONYMOUS LOGON does not have permissions to start the process
05-05-06 09:33:27 Authenticated CENTRALLINDQUISTTK using NTLM
05-05-06 09:33:27 Marshalling: OpenWorklist2
****************************************************
I can see from the server log that I was authenicated (Centrallindquisttk), but just before that, it thought I was anonymous. I know I am the only one on this box at this point.
My network friends have told me there are no DNS issues. However, in the SYSTEM event log the following entry always appears:
****************************************************
The Security System could not establish a secured connection with the server K2Server2003/K2covw2k3sps1dev. No authentication protocol was available.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
****************************************************
Which is really strange because the machine's name is COV2K3SPS1DEV in the CENTRAL domain. There is no machine called K2covw2k3sps1dev and we don't have a K2Server2003 domain.
I am certain something is not configured correctly - but I am having problems where to look. Any help is greatly appreciated.
Thanks! Terry
this is your spn for the k2service:
the first part is not a domain but the name of the service
the second part has the k2 appended to it as that is the naming convention K2 for it's k2 spn's
it gets created when you click on the "add" button in the k2service manager - under the k2.net service account
the first part is not a domain but the name of the service
the second part has the k2 appended to it as that is the naming convention K2 for it's k2 spn's
it gets created when you click on the "add" button in the k2service manager - under the k2.net service account
Is Kerberos required to get K2 to run correctly??
We're not running Kerberos anywhere else on our Network, and the Network staff is reluctant to turn it on...
Thanks again.
We're not running Kerberos anywhere else on our Network, and the Network staff is reluctant to turn it on...
Thanks again.
Becuase K2 relies on pass through authentication and uses a combination of webforms, the k2service, webservices, sharepoint and sql (to name a few)- the logged in users's credentials must be passed around to all these resources. If all those pieces live on the same server - then the credentials will be maintained, but If you separate the components onto 2 or more servers and try to pass the creds in more than one hop. Then yes you will need it.
Example: Your sharepoint box authenticates - then your webpart needs to send the users creds to the k2server in order to get the users worklist items (using the k2v3 webservices)- when the user's creds are presented to the other server - the other server does not recognize the user as being logged on anymore (no ability to authenticate using ntlm for multiple hops).
If you can put K2 on the same server with sps - then you may be able to get things working without it.
Example: Your sharepoint box authenticates - then your webpart needs to send the users creds to the k2server in order to get the users worklist items (using the k2v3 webservices)- when the user's creds are presented to the other server - the other server does not recognize the user as being logged on anymore (no ability to authenticate using ntlm for multiple hops).
If you can put K2 on the same server with sps - then you may be able to get things working without it.
don't forget to check your data source in IP. _K2 connectionstring, make sure it's pointing to the correct server
If you have the K2.net Server and SharePoint (assuming you have the Infopath form published to a SPS forms library) running on different machines you will require Kerberos to delegate the user credentials between the servers. (A test would be to open the InfoPath from from the SPS machine)
If this is the case see KB 123 article mentioned above.
SharePoint will also have to be configured with Kerberos (SPS SP2 is Kerberos-enabled by default). The following MS article describes how to enable SPS with Kerberos:
http://support.microsoft.com/?id=832769
If this is the case see KB 123 article mentioned above.
SharePoint will also have to be configured with Kerberos (SPS SP2 is Kerberos-enabled by default). The following MS article describes how to enable SPS with Kerberos:
http://support.microsoft.com/?id=832769
Reply
View our Community Site Map
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.