How to speed up Identity Cache when making IIS changes?

  • 12 January 2017
  • 4 replies
  • 5 views
S
Userlevel 3
Badge +16

Hi all,

 

Changed IIS on my Dev box to lockdown Designer, so changed IIS Authorization Rule to an AD Group (there is a bug which wont use AD Group name, so used Group SID which i know works, but thats another story)

 

Later i added a new user to the AD group and I get "K2 smartforms - Not authorised"..... If i wait a couple of hours or a day, the user will be allowed in.

 

My question is, what if i want that user to get access immediately when i've added the new User to this AD group?

 

I tried using the identityccaherefresh tool, which had absolutely no impact.

Restarted IIS, K2Server service, still no joy

 

I used the Smartobject tester to ensure the user has appeared in Usersbygroup and Groupusers Smartobjects and they are fine and contain the new users membership.

 

So i was wondering if there was any other way to manually fasttrack the synchronization?

 

4 replies

S
Badge +4

This may have something to do with cached logon tokens.  Try this:

  • Add the user to the group
  • Ask the user to logout of their PC/laptop and then back in
  • Have the user try to get into Designer
S
Userlevel 3
Badge +16

Hi ste,

 

Tried that, same error. -Even tried getting user to restart entire machine and login, still no joy.

 

Tried all the smartobject methods in the test tool and everything looks fine there.

 

Anything else? Is there somewhere else that needs time to get populated in K2 before an IIS Authoristion Rule is synced?

 

The weird thing is... If i change the IIS Authorisation Rule back to All Users, the User can login instantly, no re-login, no IIS reset and no K2 service restarted needed.

 

S
Badge +4

"Is there somewhere else that needs time to get populated in K2 before an IIS Authoristion Rule is synced?"

 

There should not be anything at all in K2 that impacts IIS Authorization.  K2 lives on top of IIS and thus IIS is independant of K2.  Adding an authorization rule in IIS Manager should take effect immediately.

 

What is the issue preventing you from using group names?  Is there a KB link or some other "known bug" url that describes the issue?  My K2 development VM doesn't have any issues using group names (e.g. denallixSales).   [I have never tried to use SIDs in IIS authorization rules...  I wouldn't want to start either.  SIDs are difficult to use because you don't know what group they represent.]

 

What type of authentication is configured for Designer in your environment? Integrated Windows?  Forms?  SAML?

S
Userlevel 3
Badge +16

Hi Ste,

 

Using forms auth + anonymous for designer and windows for Runtime

 

I originally tried using AD Groups using their names, but nothing worked, K2 have confirmed it is still a bug.... still present in v4.7 !!!

The article with the workaround is here:  http://community.k2.com/t5/K2-blackpearl/How-to-restrict-AD-groups-access-to-the-K2-Smartforms-Designer/ta-p/89062

 

This works, but say if i add a new user to my AD Group (the one i'm taking the GroupSID from), it takes well over a day or longer for that user to access Designer

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings