Symptoms

Recently received error that our K2 Service Account doesn't have permission to access a process. The service account is a Local Admin. As far as I know none of the group permissions have been changed with our Service account.

We can access K2 Designer from the server but when we attempt to access from the client machine, we get an error.

Just FYI on our environment: we have 2 domains: ABC and XYZ. ABC holds all the servers and XYZ holds the users machines. All ports are open through ABC. Only ports 80 and 443 are open between ABC and XYZ.


 

Diagnoses

In this situation, service accounts resided in the ABC domain, and end users resided in the XYZ domain.

We checked authorization settings and found anonymous windows authentication was enabled. We also noted we were not being redirected to the STS, as the STS site was running on port 81, which is blocked. We switched to anonymous forms and the redirect occured normally, but the identity site was unreachable. We discussed possible workarounds including using host headers to allow both sites to run on port 80, but ultimatley elected to return the settings to anonymous windows authentication.
We ran a select on the hostserver.securitylabel table, and found only ABC domain was configured.

 
 

Resolution

Via workspace, we added the netbios name and LDAP path for the XYZ domain, and the issue was resolved following a service restart.