SharePoint 2013 Claims Integration with K2 blackpearl API through WCF

M
Badge

I have a project in SharePoint 2013 and we plan to interact with K2 Process by using K2 API in WCF. The WCF is deployed under sharepoint context _vti_bin. When opening the K2 connection from the wcf it throws an error "Value cant be null Parameter Name Token". This error suggest that claims authentication should be configured in K2, which I have already configured.

Base on this report

 

http://community.k2.com/t5/K2-blackpearl/Connection-of-K2-in-SharePoint-throws-Value-cant-be-null/td-p/68280/page/2.

It seems like esp 2013 claims integration with K2 blackpearl is not supported, is it true? It stated that K2 suggested a manual fix by executing some script directly in K2 database.

 

Kindly suggest a way to integrate with K2 throgh API using WCF hosted in SharePoint 2013 _vti_bin. If possbile we call the WCF from SharePoint classic visual web part and not from app web part.


My Enviroment:

Windows Server R2
SharePoint 2013 Enterprise
K2 Blackpearl 4.6.9

2 replies

M
Badge +10

Hi Marlon,


 


I think I can shed some light on what's happening here.


 


In sharepoint 2013, with the new app model, K2 no longer communicates with sharepoint using claims, and instead, uses Oauth High Trust certificates to handle that communication.  Due to the app model in SP2013, it is no longer needed to add the sharepoint security token service as a claims issuer as far as K2 is concerned.  In sharepoint 2010 as part of the sharepoint 2010 integration setup we configure the sharepoint STS, but again, with 2013, this is no longer needed for the out of the box functionality, so, we no longer configure it.


 


That being said, in the situation you are running into, you will need to add the sharepoint STS to your claimissuers, and provide it's thumbprint, in order to give K2 the ability to open incoming claims from sharepoint 2013.  K2 is not a relying party in this case as it was in 2010, as now, with 2013, sharepoint is the only relying party for the sharepoint STS.  With the thumbprint however, K2 is able to open those claims and get information out of them.


 


The particular post you referenced is an interesting one.  There was a script in that post, however, that script did several unsupported things and made modifications to the K2 database, therefore it was removed.


 


Realistically, what needs to be done is as follows:


Go to your sharepoint machine, execute the following via sharepoint 2013 management shell:


(Get-SPServiceApplication -Name SecurityTokenServiceApplication).SigningCertificat​eThumbprint

This should retrieve the thumbprint of the certificate you need. There are forms that have been created to allow you to interact with claims configuration without need of playing with the database directly.


 


Go to K2 Designer -> All Items -> System -> Management -> Security -> Forms -> Manage Issuers (run this form)


 


The remainder of the setup can be completed by adding a new issuer via the add button, I'll let a screenshot do the talking here.


 


16104iBF7D096D322D8FCA.png


 


 


Now, once that's done, we should be able to open tokens generated by that STS.  The beauty of going the forms route here as opposed to the SQL scripts is that no server/service restart is required.


 


 

G
Badge

Create SharePoint STS Trust with K2

  • SharePoint 2010 components require that K2 trust the SharePoint STS. Since the installer has not been creating the trust relationship for me, below are my steps to manually configure K2 to trust SharePoint.

  • First, lets make sure we are working of the correct issue. The instruction sbelow deal with an issue that manifests as failures in the K2 SharePoint Configuration page  as a blank environment dropdown and a failure to run the configuration
  • A blank environmental dropdown field in a SP 2010 for 2013 K2 site is the most obvious sign of an STS trust failure.

  • If the Configuration is attempted with the blank environment, ULS Log errors will show errors similar to the following

    SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
    The Request Management Service is offline or unprovisioned. Request Management is disabled. Status = {0}
    SPAce PrincipalName found account renamed to NULL SID. Using new name.
    Cannot find site lookup info for request Uri urn:schemas-microsoft-com:sharepoint:service.

 

  • There are two steps required to make the SP 2010 components function:
  1. Add Claims mappings to K2HostServer.exe.config
  2. Create a SharePoint STS trust in K2

Step 1

The first step is to update C:Program Files (x86)K2 blackpearlHost ServerBinK2HostServer.exe.config with the appropriate claim mappings and Issuers.

  • Run the attached Get-ClaimTypeMapping.ps1 PowerShell script in a SharePoint 2013 Management Shell on a SharePoint.  This script will render the claims xml needed to add to K2HostServer.exe.config

    Syntax: .Get-ClaimTypeMappings.ps1 -WebAppUrl https://FQDN -WindowsK2SecurityLabel K2 -OutputFilename ClaimTypeMappings.xml
  • Open the output file and copy the contents into K2HostServer.exe.config just above the closing configuration tag.

Step-2

The next step is to update the K2 Database

  • Posts suggesting this can be fixed by creating a new Claim Issuer entry using K2 Designer are only partially correct. There are everal entries needed across 4 different tables and the method described is only one piece of the puzzle. The least error-prone way to update the configuration is to use the following SQL script.
    **This script is also attached below.
USE K2

-- Set ThumbPrint equal to the resulting value from the following SharePoint PowerShell Command
-- (Get-SPServiceApplication -Name SecurityTokenServiceApplication).SigningCertificateThumbprint 

DECLARE @issuerId INT, @ThumbPrint VARCHAR(50)
SET @ThumbPrint = '<INSERT_STS_THUMBPRINT_HERE>'


INSERT INTO [Identity].[ClaimIssuer] (Name,Description, Issuer, Thumbprint, Uri, UseForLogin)
    VALUES ('SharePoint Windows STS', 'SharePoint Windows Authentication', 'SharePoint', @ThumbPrint, null, 0)
    SET @issuerId = SCOPE_IDENTITY();


UPDATE [Identity].[ClaimTypeMapping] 
    SETIssuerID=@issuerId
    WHERE ID=2  


UPDATE[Identity].[ClaimTypeMap] 
    SET ClaimType = 'http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname' 
    WHERE ID=3


INSERT INTO [Identity].[ClaimTypeMap] (ClaimTypeMappingID, ClaimMappingType, OriginalIssuer, ClaimType, ClaimValue)
    VALUES (2,'IdentityProviderClaim', 'SecurityTokenService', 'http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider', 'windows' 
 

 Once both steps are complete, restart the K2 service.

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings