Symptoms
Suppose the following situation - some users unable to access K2 smartfoms and receiving the following error:
An error occurred trying to authenticate the userDetails:System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index at System.Collections.ArrayList.get.Item(Int32index) atSystem.DirectoryServices.AccountManagementADDNLinkedAttrSet.MoveNextMemberSearcher() atSystem.DirectoryServices.AccountManagementADDNLinkedAttrSet.MoveNext() atSystem.DirectoryServices.AccountManagement.FindResultEnumerator’l.MoveNext() atSourceCode.Security.Claims.Sts.Windows.Controllers.wsFedControllerIndex()
In IIS logs it is possible to see the same error message with the same details returned from server:
/Identity/STS/Windows/Error?Error=An error occurred trying to authenticate the user.Error response code:401 2 5 62 (401 – Access Denied, 2 - Denied by Server Configuration).
Diagnoses
K2 4.6.9 introduced group resolving which allows to add the group’s name to the claim so that IIS can use this information to authorize the user if it belongs to a group.
It is possible to restrict access to SmartForms by configuring authorization rules in the web.config of the SmartForms Application to users in specific roles (please refer to K2 KB001309 for details).
With new STS Authentication, users directed to the STS where after they are authenticated and then returned back to the SmartForms application as expected. In order to perform this authentication STS should be able to perform group resolution, otherwise, if STS did not resolve the Group on the Claim, IIS could not do authentication on groups on the claims. In 4.6.9 we are resolving the users groups and adding this information on the claim so that IIS authorization could work with the claim on group level.
In order for this group membership resolution to work correctly you should have access to AD DS and K2 Identity web application pool account should have at least read access to all groups in your domain to perform group resolution for users.
In cases when there are some issues with AD DS (e.g. domain controller is down/unavailable) or with permissions on groups you will see exceptions described above and users won’t be able to access K2 smartforms.
There is a diagnostics utility available upon request from K2 support which allows to get full list of groups with no read permissions for K2 Identity web application pool account.
Resolution
There are number of options to resolve this (from most to least preferable):
1) Address an issue with lack of privileges by granting read access for K2 Identity web application pool account to all groups in the domain (strictly speaking to all groups where K2 users have direct membership).
2) If for some reason, there is no possibility to set permissions on some groups as described in point (1) you may substitute direct membership of K2 users in this group by membership through additional group to which Identity web application pool account has access.
3) There is a coldfix available upon request which will add an option to revert groups resolving on the claim back to the 4.6.8 behavior, where IIS would not attempt to resolve the users groups. It also has a handler for “server down” exception, where if the AD DS server is down, it will still authenticate the user, but will not resolve the groups to the claim, so the user will be authenticated on SmartForms but IIS will not be able to use the groups for authentication, as in 4.6.8. This functionality should be included in 4.6.11 (as always this is preliminary information and subject to change) and will allow usage of configuration setting to optionally disable group resolution.