Symptoms
The identity can't be resolved if using AD group to grants rights for process. K2 is linked to several domains.
"2015-11-22 01:21:05::633", "Error", "GetUser:", "A referral was returned from the server.
", " at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at ADUM.K2UserManager2.GetUser(String Name)", "Additional Information: ", "ForeignSecurityPrincipals Resolve(username)"
"2015-11-22 01:21:05::633", "Error", "GetUser:MemberOf in Cross Forest", "A referral was returned from the server.
", " at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at ADUM.K2UserManager2.GetUser(String Name)", "Additional Information: ", "MemberOf Resolve(Domaingroupname)”
Diagnoses
1. Grants process View / start rights to AD user group
2. The members in the AD user group can't be resolved to table K2].aIdentity].IIdentity]
3. We have customized report, the report access rights is based on the process View rights . So we will query the table tK2].aIdentity].IIdentity] to check if the user has view rights to the process or not
4. We found that the users in the AD group can't be resolved. We use the app. Force Identity Refresh] provided by your consultant to refresh now, but it is just contingency solution. We would like to know why the members in AD user group can't be resolved? Or is there any other way to check the users' view rights for certain process?
5. We found the same problem for Role. If we add AD user group to the Role, it can't be resolved as well
Please suggest solution
Resolution
Regarding ADUM Error log, the errors in the logs are related to resolution of ForeignSecurityPrincipals. A ForeignSecurityPrincipal is required when expressing a relationship between groups in the local forest and security principals that exist across an external or cross-forest trust.
You can set "Ignore Foreign Principals" to True and the messages will not be logged. In Workspace Management Console:
-Expand the K2 Server node
-Expand the 'User Managers' node
-Expand the K2 node and select 'Settings'
-Check the 'Ignore Foreign Principals' checkbox and click 'Save'
-Restart the K2 Service