Bug when trying to deploy a workflow with VS 2005


Badge +8

Hi,


I followed the KB article #182 to add new security labels in order to be able to browse multiple AD domains (I kept "K2" as the default label). Then I gave export rights to users from the newly added labels/domains.


For a better understanding, here are my domains and the corresponding security labels:
- FIRSTDOMAIN, security label: K2 (default)
- MYDOMAIN, security label: K2MYDOMAIN

Unfortunately, when trying to deploy a process with users from MYDOMAIN, I get the following error:


User K2:MYDOMAINuser does not have Export rights.


And of course it doesn't, as the security label shouldn't be K2. What I expect to see here is "K2MYDOMAIN:MYDOMAINuser". But it appears that only the default label is put here.


I tryed setting K2MYDOMAIN as the default label, then it worked... with this user, whereas it didn't work with the original admin, getting "User K2MYDOMAIN:FIRSTDOMAINadmin does not have Export rights".


Is it already a known issue?


17 replies

Badge +7

I found out that there are lots of area of functions are able to be access in Default Security Label. I cannot access the WorkSpace from the users in Secondary Security Label. Anyway, in your case, you may try to change the Default security Label from DB. HostServer-->SecurityLabels, there is a column "DefaultLabel", you may change the True from K2 to K2MyDomain.


A stupid way to do it. Tell us back your result please.

Badge +8
Yes, I mentioned that in my post... But then users from the original domain can't deploy anymore. I can't spend my time changing the default label depending on who is about to export a workflow definition.
Badge +7
I agree with you. I also waiting some K2 people to answer this, and wish there will be some fix on this issue.
Badge +10
I am investigating let me get back to you all.
Badge +11

Known issue - Please re-evaluate when SP1 is available and let us know.


Thx,


Ockert

Badge +5

when i upgrade to sp1 and use old process to "Update Design Templates"


Then deploy but can export about excctpion "User ... does not have Export rights"


tks

Badge +5

Hi,


Are you deploying in a multiple domain environment? If this is the case you will have to set up only one security label for all you domains. KB article 182 will be modified as soon as possible to contain this information. Here is a previous post on this. Please review and adjust your security labels according to it :


Unfortunately, there can be only one label for an ADProvider at the moment. Therefore, if you have sub domains or domains in a different forest you will have to add those domains to the same security label by modifying the AuthInit and RoleInit fields in the securitylabels table as follows :


 


• The AuthInit should be modified to contain both Domain NetBIOS names. E.g.


                <AuthInit>


                <Domain> PARENTDOMAIN </Domain><Domain> CHILDDOMAIN1</Domain>


                </AuthInit>


 


• The RoleInit is a little trickier. You need to do the following :


Ø  First you will have to set the “MultiDomain” property to “True” – Very Important


Ø  Secondly you will have to edit the DataSources property(which you’ll see have to be escaped) by following my example below :


o   DataSources=


&lt;DataSources&gt;


&lt;DataSource Path="LDAP://DC= ParentDomain,DC=COM" NetBiosName=" PARENTDOMAIN "/&gt;


&lt;DataSource Path="LDAP:// DC= ParentDomain ,DC= ChildDomain1,DC=com" NetBiosName=" CHILDDOMAIN1"/&gt;


&lt;/DataSources&gt;


 


Here is an example script :


 


Use hostserver


Update securitylabels


Set authinit = '<AuthInit><Domain> PARENTDOMAIN </Domain><Domain> CHILDDOMAIN1</Domain></AuthInit>',


Roleinit =


'<roleprovider>


<init>ADCache=10;MultiDomain=True;IgnoreForeignPrincipals=False;IgnoreUserGroups=False;LDAPPath=LDAP://DC=DOMAIN1,DC=COM;ResolveNestedGroups=False;DataSources=


&lt;DataSources&gt;


&lt;DataSource Path="LDAP://DC= ParentDomain,DC=COM" NetBiosName=" PARENTDOMAIN "/&gt;


&lt;DataSource Path="LDAP:// DC= ParentDomain ,DC= ChildDomain1,DC=COM" NetBiosName=" CHILDDOMAIN1"/&gt;


&lt;/DataSources&gt;


</init>


<login /><implementation assembly="ADUM, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d" type="ADUM.K2UserManager2" /><properties><user><property name="Name" type="System.String" /><property name="Description" type="System.String" /><property name="Email" type="System.String" /><property name="Manager" type="System.String" /><property name="SipAccount" type="System.String" /><property name="ObjectSID" type="System.String" /></user><group><property name="Name" type="System.String" /><property name="Description" type="System.String" /></group></properties></roleprovider>'


where securitylabelname='LABELNAME'


 


Hope this helps.


Regards


Gert

Badge +5
i only upgrade in virtual pc , not in realy environment
Badge +8

Thank you Gert,


Now, I get this error when trying to deploy a process with a user account in the newly added domain (it has deploy permission):


Error 10 Server was unable to process request. ---> Object reference not set to an instance of an object.

Badge +10
This is only when you try to deploy?  Are there any errors in the K2log? or Event Log?
Badge +8

Yes, only when trying to deploy with a user from the addtional domain. Building the project succeeds. There is nothing in the logs (neither K2 nor Windows).


Edit: Hummm... Ok... I tryed deploying a brand new (basic) process with this account and it worked. I suppose the problem comes from Sharepoint Integration then. Probably a matter of Sharepoint permissions.


Thank you all!

Badge +2

Hi Gert,


In your example above, two DataSource Path defined, one for parentDomain and the other ChildDomain1.  Is the value of LDAPPath between <init> and </init> need to be changed accordingly to refer to ParentDomain, like LDAPPath=LDAP://DC=ParentDomain,DC=COM?


I have a scenario here, K2HostServer running in Domain1, all end users from Domain2. Right now, K2 designer can only show users in Domain1. In order to set destination rule for users in Domain2,  my questions:


1. is there a need to set 2-way trust between Domain1 and Domain2 (assuming they are in the same forest and not in parent-child relation)?


2. in the SQL update query below, shoud LDAPPath refers to DOMAIN1 or DEMAIN2?


Update securitylabels


Set authinit = '<AuthInit><Domain> DOMAIN1 </Domain><Domain> DOMAIN2</Domain></AuthInit>',


Roleinit =


'<roleprovider>


<init>ADCache=10;MultiDomain=True;IgnoreForeignPrincipals=False;IgnoreUserGroups=False;LDAPPath=LDAP://DC=DOMAIN1,DC=COM;(??? or LDAPPath=LDAP://DC=DOMAIN2,DC=COM;???)ResolveNestedGroups=False;DataSources=


&lt;DataSources&gt;


&lt;DataSource Path="LDAP://DC= Domain1,DC=COM" NetBiosName="DOMAIN1"/&gt;


&lt;DataSource Path="LDAP://DC= Domain2,DC=COM" NetBiosName="DOMAIN2"/&gt;


&lt;/DataSources&gt;


</init>


<login /><implementation assembly="ADUM, Version=4.0.0.0, Culture=neutral, PublicKeyToken=16a2c5aaaa1b130d" type="ADUM.K2UserManager2" /><properties><user><property name="Name" type="System.String" /><property name="Description" type="System.String" /><property name="Email" type="System.String" /><property name="Manager" type="System.String" /><property name="SipAccount" type="System.String" /><property name="ObjectSID" type="System.String" /></user><group><property name="Name" type="System.String" /><property name="Description" type="System.String" /></group></properties></roleprovider>'


where securitylabelname='K2'


 


Thanks


Frank

Badge +5

Hi Frank,


Trust relationships are automatically created between adjacent domains (parent and child domains) when a domain is created in Active Directory. Therefore there should already be a trust relationship between your two domains. Refer to MS article : Domains


 As per my example in the init node the parent domain's LDAP path should be inserted. in this case it would be DOMAIN1.


Please drop me a mail so that we can take this further.


Regards


Gert


 

Badge +5

Guys,


Just something to take note of...


Unfortunately we currently do not support connections to Domains with a specified UserName and Password. Therefore the account running K2Server should be able to query all domains that you add to the security label. This feature will be available in a future release. You can easily test if the service account has access to query a Domain by running the microsoft ADSVW tool.


Regards


Gert

Badge

I am getting this same error when trying to publish a simple workflow. All it contains is a Start and Default Activity which is a mail event. It builds fine, but when trying to pubish it fails. I am running BlackPearl SP1 in a stand alone environment (except AD).


 

Badge +1

Can anyone guide me on how to fix this bug, i'm still having such bug.

Userlevel 2
Badge +9

Can you provide some more information please?  Did you configure multiple domains on a single K2 security label, or did you set up multiple security labels?  

Reply