Updating the K2 Service Account Password in K2 after resetting in AD

  • 15 February 2022
  • 0 replies

Userlevel 4
Badge +16


Updating the K2 Service Account password in K2 after resetting in AD

This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice. This article is not considered official documentation for K2 software and is provided "as is" with no warranties.


After updating the K2 Service account due to an Active Directory Policy or alternative reason, the password needs to be updated within the K2 Product as well.  K2 does not know the password has been changed in AD and has the old password cached.

Before You Begin

Before starting, ensure that this is done during downtime. You will need to run the K2 Setup Manager for Blackpearl and SmartForms which does a K2 Blackpearl Service and IIS Reset. This restart can cause a minor interruption for users/developers.

Takes notes whether or not this account is used across multiple K2 Environments. If the same account is used elsewhere the same steps will most likely need to be done on other K2 environments as well.

Also, take note of any other applications outside of the K2 Product in which this could also be used to see if they have any caching mechanisms that might not update.

How-to Steps

The best starting point is to go through the K2 Blackpearl and K2 SmartForms Setup managers (Configure Option).

Find these in the Start Menu > K2 Blackpearl location. They can also be found within the install directory under Setup > K2 SmartForms Setup Folders.



If you are on K2 Five and up, the setup managers for Blackpearl and SmartForms have been consolidated into one Setup Manager. This is located under K2 > K2 Setup Manager on your Start menu. Or you can also get to it via the file path "C:Program FilesK2SetupSetup.exe". You only need to run this setup manager to update the accounts and their respective credentials.

When going through the Setup Managers you will be presented with the screen shown on the documentation link below:

K2 Blackpearl 4.7:

K2 Five:

Add the correct password and test to make sure it is valid.


After updating the Setup Manager they should now have correctly updated the Service Account Password across K2.


Most commonly, after the password is changed in AD but not in K2, the K2 Service account will get locked out within Active Directory. If this behavior appears within K2, double check the following locations to ensure that there are no other locations that are storing the old password as cached data:


1. The SSO credentials are stored if someone has specifically cached them within K2 Workspace. These credentials are encrypted and stored within the K2 DB under the [HostServer].[SecurityCredentialCache] table. Run the following update query to remove the old password from this table:


UPDATE [HostServer].[SecurityCredentialCache] SET Password = 0

WHERE UserName = 'DENALLIXK2Service'


Next, re-cache the credentials via the SSO cache page of Workspace. This will then store the correct new password that will need to be supplied.


2. Check the email connection strings that also use the K2 Service account. Verify that the password is correct by going to:


[Install Directory]K2 blackpearlHost ServerBinConnectionStringEditor.exe

K2 Five Directory path is "C:Program FilesK2Host ServerBinConnectionStringEditor.exe"

Check that all noted connection strings using the K2 Service account does have the proper password.


3. Control Panel > Credential Manager. Check if there are any Windows and/or Web Credentials stored on the machine for the relevant account.


4. If the account is running an App pool in IIS, it could have cached credentials.


Go into IIS > App Pools > right-click on App Pool > Advanced Settings > Process Model > Identity > click Ellipses next to username > click Set Button.

Re-add the correct credentials and then click Save. Do an IISreset to cement the change and then check that the browser loads properly.


5. Check any Service Instances using Static Credentials for that Service account.

Edit the Service Instance and update the password manually by using the K2 Management site. You can edit the service instances on K2 Management underneath Integration > Service Instances, click on a service instance and then click the Edit button.


Once verified that the above settings are all set with the correct password, start searching outside of K2 for anything else that could be locking out this account within AD.


Additionally, check the Event Logs on the Domain Controller to figure out the exact location of where the account was hitting and getting locked out:


0 replies

Be the first to reply!