Symptoms
A user who has been working in K2 without any issues suddenly unable to start workflows. URM smart object unable to return group membership for this affected user and he is disabled in the Identity.Identity table.
The following error is being logged in K2 logs:
64007 Provider did not return a result for K2:******** on GetUser
Re-enabling affected user's account in the Identity.Idenity table has no effect as it just getting set back to disabled in less than a minute.
The user's account is still active (not disabled) in AD as affected user can log into multiple machines and access network resources. Additionally, K2 can retrieve this user's groups through the AD Service2 broker. Both GetUserDetails and GetGroupsByUser complete without error.
Diagnoses
Reviewing verbose ADUM log we found the following error:
We are getting the following in ADUM log with full logging when executing get user detail from UMUser SmartObject:
"Debug", "GetUser", "Initializing user resolving --> ********"
"Debug", "Translate:NameToDN: ", "Translating ********"
"Debug", "GetUser", "Name translated from ******** to CN=**** ****,OU=UserAccounts,DC=****,DC=corp,DC=microsoft,DC=com"
"Debug", "GetUser", "User ******** found"
"Debug", "GetUser", "Adding group ****Domain Users to user"
"Debug", "GetUser", "User ******** does have a memberOf property."
"Error", "GetUser:MemberOf", "The specified account does not exist", " at ADUM.Translate.DNToNam (String DN) at ADUM.K2UserManager2.GetUser(String Name)", "Additional Information: ", "MemberOf Resolve(CN=****,OU=***,DC=****,DC=corp,DC=microsoft,DC=com)"
"Debug", "GetUser", "Returning groups from memory cache."
The issue is caused by the fact that K2 queries user object for “memberOf” property which is a linked attribute to the group member attribute. Affected user was a member of one specific group which has been hidden from address book and has an active directory permissions which prevent K2 service account from readin it. It is quite common scenarion and large scale enterprise directories may have a lot of objects which K2 service account may be able to discover references to, but not directly query.
To fix this issue changes were made in 4.6.11 to not throw the AD exception and to not stop resolving if there is a group which K2 service account cannot query directly. For earlier versions of K2 there is a coldfix available through request to K2 support.
Resolution
This is known issue with ADUM which has been fixed in K2 4.6.11, for earlier versions coldfix is available through K2 support request.