Symptoms
REQUEST:
------------
We are looking for help to diagnose if problems exist with K2 services or smartobjects. Smartobjects seem to be returning data inconsistently.
ENVIRONMENT:
-----------------
We have a DMZ housing an extranet domain controller, 1 sharepoint server (all roles).
Content is served from a DB in our internal network.
The K2 server sits in the internal network.
We have a bidirectional forest trust (extranet domain is DomainA.LOCAL, internal domain is DomainB.LOCAL)
Our Sharepoint extranet has one parent site collection and multiple 'child' site collections that supply data via smartforms. We are experiencing intermittent success/failure for these child pages. The smartforms pull content via SQL Server smartobjects - there is a linked server connection.
BACKGROUND:
-----------------
We added a domain controller to our internal network 1-2 months ago. We noticed some DNS problems this morning - the new DC had missing forwarder records and wasn't connecting to the external DC via the trust. We feel that problem has been resolved.
Despite clearing that up, extranet testing still results in mixed success.
When our extranet farm is accessed from the Internal network, everything works fine.
When accessed from a server that sits in our DMZ (simulating an external client), it works intermittently, for accounts from both forests/domains. When accessed via a 3G external connection, it also works intermittently
Diagnoses
During the meeting, we were able to verify that the value of the logged in user is being cached when customer access the SharePoint site via the TMG Proxy.
Resolution
What is likely happening on the TMG proxy is that clients credentials are being cached. Microsoft provides two options by default - one for untrusted workstations and another for private computers. I suspect that our customized login form is using the 2nd option. That would explain the 'false' impersonation. We have yet to verify this and it is unlikely to occur at an external user's computer, since they would always use the same login (unless it is a shared system). The caching is likely only extended anyways too, not indefinitely.
The second behavior where the views that are not working for us are security trimmed - the executing user's membership in a database role determines what information (if any) they have access to. We had temporarily escalated the k2 service account to have sysadmin rights on our LOB database that uses these roles. In forgetting to remove that privilege immediately, the role based security ceased to function.