Symptoms
When using SQL Server SmartObject with IMPERSONATION instead of service account K2 gives "Login failed for user 'NT AUTHORITYANONYMOUS LOGON" error. This is an indication that Kerberos has to be configured, and configuration steps were performed on SQL Server but still there is the same error being logged. What is the current and correct way to configure Kerberos in K2? Information in K2 knowledgebase and community seems to be quite old.
Diagnoses
The fact that official K2 KB articles/documentation available on this topic is somewhat old can be explained by the fact that Kerberos is a mature infrastructure technology which has been around long enough to become stable and consequently there are no changes from version to version of K2 in the way it should be configured. Essentially Kerberos is a Windows/Microsoft technology that K2 utilizes to authenticate against Windows systems and as such the bulk of the information on its configuration and use can be found on Microsoft sites/resources. There isn?t actually any difference between how k2 services are configured to use Kerberos and any other Windows services. Please refer to the following official documentation from K2:
2) K2, Kerberos and Host (A) Records : An explanation of the importance of Host (A) and Kerberos
3) Security and Kerberos Authentication with K2 Servers Whitepaper (See below)
Document (3) from the list above is quite comprehensive and has only one drawback: it is lengthy and one have to read it not just skim.
Also there is some unofficial blog post "K2 blackpearl Kerberos Configuration" which you may find useful.
It is well written and touches on some potential pitfalls one may run into while configuring Kerberos for K2.
Additional note on Kerberos and SharePoint 2013: With SharePoint 2013 Kerberos is not required as much as it used to be. Inbound authentication to K2 is now all handled with claims based authentication, with a few cases (such as with the AAD application proxy) where regular Windows/Kerberos authentication is required. Most outbound authentication/authorization to systems such as SharePoint is now performed using methods such as OAuth which is separate and different to Kerberos. This means that in most cases, Kerberos is only really required in certain specific circumstances when K2 needs to authenticate against certain other back end systems which aren?t SharePoint 2013.
Resolution
In addition to documentation links mentioned above the following configuration settings have to be checked when it comes to Kerveros configuration (sample list/outline): SPNs for - K2 service account - K2 workspace account - SQL service account Delegation for: - K2 service account - K2 workspace account - K2 servers - SQL service account - SQL servers These constrained delegation settings have to be added (re-configured): - K2 service account. Trust services from: K2 service account K2 workspace account K2 servers SQL service account SQL servers - K2 workspace account. Trust services from: K2 service account K2 workspace account K2 servers SQL service account SQL servers - K2 servers. Trust services from: K2 servers
