Skip to main content
Hi all,

[Scenario 1]
I built a k2 smartform that user_A can search an email address of a specified user (target user) from the Active Directory (.NET framework), then the email address is passed to a k2 process data field, which in turn automatically sets the "Send-To" user in Destination Rule for the default client event. Then the SMTP service (in the default client event) sends to the target user a web-link about the pre-defined task (constructed by k2 smartform), and the target user is supposed to go to the web page, complete the task and send a notification back to the sender.

The problem occurred when the target user tried to open the web page, a message saying: domain/user_name is not allowed to open the worklist item. Any idea?

[Scenario 2]
However, in the Destination Rule, if I manually set the "Send-To" user (by dropping the same user as tested in scenario_1 from the Data Sources pane into Destination pane), then the target user is able to launch that web page correctly, to complete the task and send notification back to the sender.

In both cases, the target user has no problem to receive an email from the sender; the difference is: the target user doesn't have permission to open a worklist item in scenario_1, but can do in the scenario_2. Any idea why scenario_1 won't work?

Any help would be appreciated.

Thanks a lot,
Patrick
What does the username you pass in look like for scenario 1?
Is it an email address, is it just the user name or is it 'domainusername'?

Also, after the client event is created for scenario 1, open K2.net Service Manager | Worklist | Manage Worklist - have a look at the Destination User for the specific worklist item - is this what/who you've expected?

Make sure there's no leading/lagging spaces in your passed in username.

Regards,
Ockert
Hi Ockert,

Thanks for your reply. It was my mistake that passing an email address to the Send-To field. I changed that to domain/username this time, the whole workflow process only works for myself, not for other users though. I found this similar issue has been stated in KB123 article, but I got few more questions here:

1) In my case (please refer to my first post in this topic), what should I put for the K2ConnectionString in the web.config:
[option 1]
<add key="K2ConnectionString" value="[;];Authentication=Windows;Domain=;User=;Password=" />
Or [option 2]
<add key="K2ConnectionString" value="[;];Authentication=Windows;Domain=aDomain;User=aUser;Password=aPassword" />
Or ...?
For option2, does it mean to make connection to k2server under aUser everytime? But I tried option1 and option2 on my machine, both works fine, what are the differences? any constraint applied to other users?

2) In K2.net Server Registration Properties, there are 4 different security packages. What's the difference by choosing "Kerberos" or "Kerberos,NTLM"? and difference between "Kerberos,NTLM" and "NTLM,Kerberos"?


Regards,
Patrick
Patrick,

In Smartforms, we have three Authentication models namely:
1. IntegratedAuthentication;
2. ConfigAuthentication; and
3. ExternalAuthentication.

When IntegratedAuthentication is selected, the K2Connection string in the web.config is NOT used at all - the logged on user credentials is used.

When ExternalAuthentication is selected, you need to specify a Login page for the user to log in - mostly used for custom user managers.

Only when ConfigAuthentication is selected, the web.config's K2ConnectionString is used and yes - if you do specify a user credentials in this connection string, everything will be done in the context of this specified user.


The 4 Security Package selections is basically an order of preference of security packages to be used i.e.
"Kerberos" - The K2Mng (Service Manager) to K2Server connection will ONLY attempt Kerberos authentication.
"Kerberos,NTLM" - The K2Mng (Service Manager) to K2Server connection will FIRST attempt Kerberos authentication. On failure, NTLM authentication will be attempted.
"NTLM" - The K2Mng (Service Manager) to K2Server connection will ONLY attempt NTLM authentication.
"NTLM,Kerberos" - The K2Mng (Service Manager) to K2Server connection will FIRST attempt NTLM authentication. On failure, Kerberos authentication will be attempted.

Please Note that this selection DOES NOT specify a global security package to be used by K2.net Server - it only pertains to the connection between K2.net Service Manager and K2.net Server.

For a discussion around Kerberos and NTLM authentication, please refer to KB article #123.

Hope this helps,
Ockert
Hi Ockert,

Our process starts at sending user_A a SMTP notification where a web link is attached, then user_A clicks the link to launch the web page and selects and delivers (via SMTP) a task (another web link attached in the SMTP message) to a destination user (user_B); user_B then launches the web page and completes the task and sends report back to user_A. (picture 0)

There are few things I don't really understand:
1) My IIS and K2 server are in different machines (given that those web pages are running on my IIS), if user_A and user_B are set to myself, then the whole process is working fine, but for other users (their IIS and K2 server are also in different machines) they can't:
NT AUTHORITYANONYMOUS LOGON is not allowed to open the worklist item
however I have enabled Kerberos authentication in K2 service manager (picture 1) and server setting in the K2 studio (picture 2).
Any idea?

2) Before I changed the security package, that field was blank, nothing specified there at all, but after I made change to Kerberos, we had permission problem at viewflow:
domainusername does not have permissions to view the process K2ROM at ...
however, it worked before, the only modification i made is changing the blank security package field to Kerberos. The thing is I can viewflow of the process completed at couple days ago; when I started a new run today, I got that error. Any idea?

3) In the k2 workspace, I found it didn't pick up the current process, and there was a corresponding entry in K2 db, but not in K2Log db. Would be anything wrong in the K2LogServer? Any idea?

Welcome any suggestion.

Thanks a lot!!!
Patrick

Reply