Security Data Table error?

  • 15 November 2011
  • 7 replies
  • 35 views
J
Badge +2

I'm trying to get K2 blackpearl workspace working. I have installed and configured (without error) with service account. Logging on to Workspace with service account I try to go to Management > Expand WS:5555 node > Workflow Server > Server Rights and I get


Error!
Error: Could not load the grid: Failed to return Security Data Table: Unable to resolve address ServerName01 and port 5252. No such host is known.


I can see the server ServerName01, I can



  • log on to the server with the same service account (which is also an administrator)
  • see K2 blackpearl Server Service is running
  • see that for the service account, setspn -l shows both

    • K2Server/ServerName01.dc.ou.com:5252
    • K2Server/ServerName01:5252



Any suggestions on what to correct to resolve this error is appreciated.


Thank you.

7 replies

T
Badge +10

I saw a similar error on the underground which seemed that the user was not bringing up the workspace with the right account.  In your case you said you logged on as the K2Service account which would automatically be given admin permissions in the K2 Workspace so maybe its something with IE settings on the server. 


When you open up the workspace in IE in the top right hand corner of the K2 Workspace it'll say "logged in as domainnameaccountname."  Does your list the K2 Service account?


If not maybe IE has restricted settings enabled.  Try accessing the workspace from another machine using runas in IE to use the K2 Service account permissions.


http://www.k2underground.com/forums/p/9882/29390.aspx#29390

J
Badge +2

Thank you timkn for your response. I saw that post and made sure I had the right service account everywhere before posting.


The workspace does indeed show the correct information in the "Logged in as domainserviceAccount".


I've tried accessing the workspace from one of the K2 Web Front End servers directly using the 'runas' option and logging in with the same service account (shows correctly Logged in as domainserviceAccount). From the K2 Web Front End IE (8), I get  different error:


Error!
Error: Could not load the grid: Failed to return Security Data Table: 28014 Server not initialized


I've looked for this error that implies an SQL issue. I can log on to the SQL server with the service account, see the expected DBs and confirmed none are 'Read only'.


Any other suggestions are appreciated.

T
Badge +10

I would then ensur that the K2 Service is starting correctly.  One of the easiest ways is while logged in as the K2 Service starting the K2 Service in console mode:



  •  Shut down the K2 blackpearl service
  •   Start the K2 Server in console mode. This will then show the K2 server starting up and note any errors or issues that occur.

Also look at the Windows Application event logs for errors.

J
Badge +2

Thank you timkn.


I have 8 K2 Host Servers and have stopped the service on all and started the console on all. I see no errors. I then go to one of 4 K2 WFE servers (logging on to server with service account which is admin) and log on to the workspace site (again with same service account) and I see in the K2 HostServer logs entries like the following which imply a Kerberos issue. I have worked with K2, our network and security teams to confirm our Kerberos settings look correct.  Any other suggestions to check? My biggest confusion is where the "anonymous" is coming from. If I'm logged on to server *and* site with a specific ID/PW, what in K2 is trying to pass NT AUTHORITYANONYMOUS LOGON?


"9188671","2011-11-15 09:57:04","Error","Unknown","8060","ProcessPacketError","SourceCode.Hosting.Server.Services.TCPClientSocket.ProcessPacket","8060 ProcessPacket Error, 3014 A mismatch between the end user and the connection credentials has been detected. This may be intentional and will only require action if specific problems are currently being encountered. Refer to Kerberos and K2 Pass-Through Authentication settings (currently ClientKerberos) and documentation.","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188671","25a629b1453c459d85b69c37a88bc2d",""
"9188722","2011-11-15 09:57:05","Error","Unknown","8060","ProcessPacketError","SourceCode.Hosting.Server.Services.TCPClientSocket.ProcessPacket","8060 ProcessPacket Error, 3014 A mismatch between the end user and the connection credentials has been detected. This may be intentional and will only require action if specific problems are currently being encountered. Refer to Kerberos and K2 Pass-Through Authentication settings (currently ClientKerberos) and documentation.","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188722","ee13cf70e14d42aba100bb2b8c71bd4",""
"9188851","2011-11-15 09:57:15","Error","General","1","GeneralErrorMessage","URM SERVER [FindGroups [string userName, IDictionary<string, object> properties, string labelName, string extraData]]","1 The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON|   at ADUM.K2UserManager2.GetUser(String Name)
   at ADUM.K2UserManager2.FindSecurityGroupsWithDefault(String User, String Name, String Description, String domainLDAP, String uOrgUnit)
   at ADUM.K2UserManager2.FindSecurityGroups(String User, IDictionary`2 properties)
   at SourceCode.Security.Providers.K2UMProvider.K2UMProvider.SourceCode.Hosting.Server.Interfaces.IRoleProvider.FindGroups(String userName, IDictionary`2 properties)
   at SourceCode.Security.UserRoleManager.Runtime.UserRoleManagerServer.FindGroups(String userName, IDictionary`2 properties, String labelName, String extraData)","anonymous","0.0.0.0","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188851","c0e49292ddc4030ab02acd4f9b4135d",""
"9188852","2011-11-15 09:57:15","Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Runtime.HostServerBroker.InternalMarshal","2025 Error Marshalling SourceCode.Security.UserRoleManager.Runtime.UserRoleManagerServer.FindGroups, The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188852","c2a255525dac42d088143f8e1ea34e0",""
"9188853","2011-11-15 09:57:15","Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Services.TCPClientSocket.InternalMarshal","2025 Error Marshalling SourceCode.Security.UserRoleManager.Runtime.UserRoleManagerServer.FindGroups, The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188853","319a7c0b326487faebe2c7341b79752",""
"9188854","2011-11-15 09:57:15","Error","Unknown","8060","ProcessPacketError","SourceCode.Hosting.Server.Services.TCPClientSocket.ProcessPacket","8060 ProcessPacket Error, The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188854","2c78be34052149208e564d587871b89",""
"9188985","2011-11-15 09:57:22","Error","General","1","GeneralErrorMessage","URM SERVER [FindGroups [string userName, IDictionary<string, object> properties, string labelName, string extraData]]","1 The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON|   at ADUM.K2UserManager2.GetUser(String Name)
   at ADUM.K2UserManager2.FindSecurityGroupsWithDefault(String User, String Name, String Description, String domainLDAP, String uOrgUnit)
   at ADUM.K2UserManager2.FindSecurityGroups(String User, IDictionary`2 properties)
   at SourceCode.Security.Providers.K2UMProvider.K2UMProvider.SourceCode.Hosting.Server.Interfaces.IRoleProvider.FindGroups(String userName, IDictionary`2 properties)
   at SourceCode.Security.UserRoleManager.Runtime.UserRoleManagerServer.FindGroups(String userName, IDictionary`2 properties, String labelName, String extraData)","anonymous","0.0.0.0","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188985","5d55a5a8d8f46a08be4026bd8a8078d",""
"9188986","2011-11-15 09:57:22","Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Runtime.HostServerBroker.InternalMarshal","2025 Error Marshalling SourceCode.Security.UserRoleManager.Runtime.UserRoleManagerServer.FindGroups, The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188986","590bfd75a27443d5be686f4d62a7530",""
"9188987","2011-11-15 09:57:22","Error","System","2025","InternalMarshalError","SourceCode.Hosting.Server.Services.TCPClientSocket.InternalMarshal","2025 Error Marshalling SourceCode.Security.UserRoleManager.Runtime.UserRoleManagerServer.FindGroups, The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188987","66f5ec821f343088cf2ece82e35fc8b",""
"9188988","2011-11-15 09:57:22","Error","Unknown","8060","ProcessPacketError","SourceCode.Hosting.Server.Services.TCPClientSocket.ProcessPacket","8060 ProcessPacket Error, The format of the specified domain name is invalid. Resolving User:NT AUTHORITYANONYMOUS LOGON","system","172.20.136.188","K2HostServerName01Of08:C:Program Files (x86)K2 blackpearlHost ServerBin","9188988","0760cfa6e2c54853bc046522dbd1305",""

T
Badge +10

This does indicate a Kerberos issue of some kind since there is a setting missing which is preventing the Kerberos delegation from occuring and therefore the correct credentials are not passed.  This results in the NT AuthorityAnonymous error that you're seeing. 


However, this doesn't match up with what you experienced earlier when the K2 Workspace was showing you logged in as the K2 Service account.  I would have expected that to show up as NT AuthorityAnonymous if kerberos wasn't working and it wasn't reverting to NTLM.


At this point I'd recommend submitting a ticket to K2 support so that they can look at the configuration and troubleshoot with you through a call.


Regards,


Tim

J
Badge +2

Thank you Tim! Got a ticket opened already and have been sharing multiple logs with K2. I was just trying as many options as I could find. ;)

S
Badge +6

have you tried this?


On all K2 Servers, open K2HostServer.config file and search for DelegationContext. Change the value from ClientKerberos to ClientWindows. Save the file and restart the K2 Service.


http://help.k2.com/en/KB001226.aspx


an extract from the above KB…


In summary, this feature provides an additional option over and above Kerberos and removes a common pain point for installing and configuring K2, particularly in a distributed environment. Enterprise clients need not be concerned that it replaces or removes Kerberos functionality from K2; it just allows K2 to work when Kerberos is problematic and customers are not able to resolve Kerberos-related issues immediately.

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings