Skip to main content

I am trying to track down an error where a call that is made to the K2SPListItems web service on teh SharePoint box fails with a 401 / not authorized. 


I can see why it's a 401 - there is no user name passed in with the SOAP request, so it is being treated as anonymous and rejected.  But I can't understand where the anonymous is coming from.  Kerberos appears to be working fine (for instance, all accesses to SQL Server happen via Kerberos and all the event id 540's show Kerberos).


One thing I noticed on the K2 log is that all of the Execute SmartObject steps in my system run under anonymous:



10040SmartObjectsExecuteSmartObjectsDebugSourceCode.SmartObjects.Runtime iByteB] ExecuteInstance(ByteB], Boolean, System.Data.DataTable)]10040 Execution request received.anonymous0.0.0.0MultiK201:c:program files (x86)k2 blackpearlHost ServerBin885867


So my question is: is that normal or is that part of my problem?  (I should add that the SharePoint web service access is happening inside a SmartObject process.)


Does anyone know where the SmartObject process actually runs and if there is a way to make it run under the K2 Host process id?


Thanks

are you running MOSS 2007 SP1? if so please refer to the following hotfix from Microsoft:


http://support.microsoft.com/kb/941470


Vernon

let's say I'm running the hotfix as well as SP2 - now what would you suggest?

Hi Jonathan,


The anonymous message you see in the log file is not the identity executing the SmartObject. It simply implies that the source for the message is not set.


To answer your question, the SmartObject service runs under the K2HostServer service account and the way you register the Service Instance will indicate how the authentication will work. By default, the SharePoint service instance for example will have "Impersonate" enabled, which means that the account executing the SmartObject method will be delegated to perform the action on SharePoint. If the "Impersonate" option is NOT set it will perform the action on SharePoint using the K2HostServer service account therefore not delegating any credentials. If you are using the SharePoint service instance you need to ensure that the delegation from the K2 Service Account to the MOSS Service account is correctly set up.


How exactly are you executing the SmartObject? From InfoPath, Custom WebApplication or directly from the Workflow?


Thanks,


Gert

Thanks for the comprehensive reply.  I am running a fully patched SP2 server and I have got the SmartObject set to Impersonate.  I am not the developer on this one, so I am not sure wherer it is being run from - i think Workflow, but could be from a custom.aspx in SharePoint (we are not using InfoPath) - exposing my ignorance here, but does it make a difference?


All my delegation is currently unconstrained  (so allow delegation to any Kerberos service).


Something else I have noticed is that the autheticating mesages that pop-up on the console (when running in console mode) mostly say "authenticating - Kerberos", but occasionally say "authenticating - NTLM".


And something elseI noticed when checking this is that when pressing OK on the "Edit Service Instance" box, I get a 401 unauthorised. message (even though I am working on the K2 server as the K2 installation account).


Looking at my event logs (with Kerberos logging on), the only error recorded is a KDC_ERR_BADOPTION for the host SPN (host/server.fqdn).  I have also got this in my lssas.log:


432.3936> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
432.3936> Kerb-Warn: Failed S4Uproxy request c00000bb(4)


but since I am not using constrained delegation I am not sure it matters.


But please let me know if I am wrong.


Thanks for the help so far.


Andrew

A common cause for strange authentication issues are the Loopback check, you can try to disable it:


http://support.microsoft.com/kb/896861.

Hi Andrew,


I've also seen the exact same result in some customer environments because Protocol transition is not enabled for delegation TO the SharePoint Service Account. One scenario that I have seen this to be a requirement is where you have the K2 Workspace and K2 Server running on the same server and MOSS on a different WFE and the authentication is done through NTLM to the K2Server from the Workspace. Then when trying to delegate to the MOSS Service Account Protocol Transition is needed to switch from NTLM to Kerberos. Obviously for this you would require constrained delegation.


To be sure if this will be needed and what other causes there might be for the kerberos issues you are seeing we would require the environment diagram. I.e Where K2 Server, Workspace and MOSS are running.


I would also recommend that you log a ticket with the K2 Support who have definately run into this exact issue many times.


Please let me know if you need further help on this.


Regards,


Gert

Thanks Gert, I owe you one  (If you lived in London I'd buy you a beer!).


I had all the clues, but you pointed me in the right direction.  I had left everything 'unconstrained' because I thought that that would make everything simpler. 


To solve the issue I set constrained delegation on the K2Host user profile, gave it permission to "use any authentication protocol" and then added the SharePoint service account as an allowed delegatee (note: this is not mentioned in the installation notes).


I don't fully understand it, but I suppose when the SmartObject process is started, because it is on the same server as the K2Host process, it is launched/authenticated as NTLM.  When it goes out to the SharePoint box though, it is now on the 2nd hop, and it needs to be able to switch from NTLM to Kerberos.


Andrew

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings