Symptoms

Diagnoses

Resolution

The "The specified directory service attribute or value does not exist." error that we saw when redirecting to the WindowsSTS usually occurs when the application pool accountk2 service account (same in your case) does not have "Read" rights on certain levelsobject in the domain. K2's WindowsSTS uses the "System.DirectoryServices" code similar to below to retrieve attributes from account that authenticates with K2:

using System
using System.Collections.Generic
using System.Linq
using System.Text
using System.DirectoryServices.AccountManagement
using System.DirectoryServices

namespace TestInvalidCreds
{
class Program
{
static void Main(stringi] args)
{
PrincipalContext pc = new PrincipalContext(ContextType.Domain, "dc163608.local")
UserPrincipal up = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "InnerUser")
}
}
}

Base one some posts below, this error usually occurs if the K2 service account/application pool account does not have "Read" rights to the "Users" CN, "Computers" CN, or any custom CNs/OUs that would contain accounts accessing K2.

Error can occur if does not have "Read" rights to the "Users" CN:
http://blogs.msdn.com/b/dsadsi/archive/2009/08/28/getting-an-exception-the-specified-directory-service-attribute-or-value-does-not-exist-when-you-try-to-search-a-user-in-an-ad-container-using-system-directoryservices-accountmanagement-userprincipal-findbyidentity.aspx

Error can occurs if does not have "Read" rights to the "Computers" CN:
http://www.out-null.eu/2014/07/20/comexception-0x8007200a-the-specified-directory-service-attribute-or-value-does-not-exist/

"Read" rights can be granted using the "Advanced Features" option in the ADUC console:
http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/