Skip to main content


 

Symptoms

 


User getting the following error on attempt to start workflow:

"24408 K2:DOMAINUser from mIP:PORT] does not have rights to Start Process sPROCESS NAME]"

User is included in Domain Users group which has been granted required rights.
 

 

Diagnoses

 


It is necessary to check whether URM SmO is able to resolve this user, if not then most likely this user is disabled in K2 identities cache (Identity.Identity table).
You may observe that certain users keep become disabled all the time. There are number of known issues with K2 4.6.9 ADUM when in certain scenarios users become disabled in identity tables, for example you may see user being disabled when:

- If Organizational Unit where this user is located contains "/" symbol in its name
- When ADUM unable to access group to resolve the user

 

 

 

In addition to 24408 error you may also see 64007 error in K2 host server logs:

 

 

 

"Error","IdentityService","64007","IdentityServiceError","IdentityService.ProviderCacheIdentity:RoleProvider.GetUser",
"64007 Provider did not return a result for K2:Domain_NameUser_Name on GetUser","anonymous","0.0.0.0",

 

 

 

For the case when OU contains "/" in its name you can confirm this by related entries in ADUM logs, they normally will contain entries similar to this:

 

 

 

"Error", "GetDirectoryEntry", "Unbekannter Fehler (0x80005000)", " in System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   in System.DirectoryServices.DirectoryEntry.Bind()
   in System.DirectoryServices.DirectoryEntry.RefreshCache()
   in ADUM.K2UserManager2.GetDirectoryEntry(String path)", "Additional Information: ", "GetDirectoryEntry(LDAP://CN=User Name,OU=Organizational Unit /Name,DC=company,DC=local)"

All these issue addressed in ADUM coldfix available by request from K2 support.
 

 

Resolution

Either try to remove "/" or "*" symbols in OU/groups names for affected users, as well as make sure that K2 service account has sufficient access to any group. Alternatively you may request a coldfix for K2 4.6.9 which may help to prevent disabling of users in K2 in aforementioned scenarios.

 

 



 
Be the first to reply!

Reply